Freeware trial version doesn't solve the worm problem.paid version won't install

[artleo]

I am writing in the hope that you can clear up various problems..
( this is also the second time I've written this out , as after spending 2 hours typing into the "post box" , my browser crashed and despite autosave being on at your forums ..my entire post was lost..and it is now just after 06.00am my time..and I have been without sleep due to this problme for the last 24 hours..plus very little sleep since last Saturday Dec 1 when the problem began )..

I have a win7 ulti Desktop machine which is "air gapped" from the internet..( since losing 3 days spent dealing with a virus on XP 5 years ago, I do not connect my main windows machines to the web, I have a laptop with XP for downloading windows updates..and an old Desktop with XP and IE8 for testing sites that Iake to see if they are OK in that browser )..all other machines are linux..

I only ever use Transcend USB sticks that I buy in unopened blister packs from retailers here in France..

So..normally I should have no worries about viruses or worms etc..

In fact I am the person who "fixes" PCs which ahve windows problems ( wont boot ..lost data..corrupt mbr etc etc ) for friends and neighbours..

Recently I repaired a win vista box that would not boot for a neighbour..whilst explaining to hime what I had done..he mentioned to me that he would have liked to be able to see which folders were taking up the most space on his machine..I use an old freeware program which dates from the days of win98II..and which works on all win OS..it is no longer available..so I offered to make him a copy..

He gave me a USB stick to make the copy to..

and yes ..I ( without thinking ) put it into my win7 ulti machine on Saturday Dec 1st..

( I have never used anything, neither CD, DVD or USB which has "autorun" in that machine..and was not aware that win7 "out of the box" allows "autorun"..which is right up there along with "hide system folders" and "hide known file extensions" in the "Hall of really stupid things that Microsft did" )

The USB key "autoran"..both my monitors flickered briefly and the images juddered for a split second..and I caught a very fleeting glimpse of a "Dos box" ( or terminal )..

Then it began..

I got a "pop up" alert ..small box ..
"Updates.exe - No Disk"..
and a big red circle with a white X in and the words
"There is no Disk in the drive.Pleaseinsert a disc into drive\Device\Harddisk7\DR7
and below were 3 buttons..
"Cancel", "Try again", "Continue"..and a small x at top right to close the box with..


( this machine has a 250 gig C: drive with the OS and programs on around 198 gigs of it, and 5 other drives of 2 terra each with assorted files and photos on each..tens of thousands of photos..my work..this machine is it's own backup, all photos are "duplicated" across the 5 x 2 Terra HDs )

So I closed the box via the small "x"..

Took around 6 clicks before it closed..unusual behaviour..

It popped open again..So I closed it again ( by clicking multiple times on the small "x" at top right )
..and it opened again..and so on..This happened around 10 times..and each time that the box came back , the number of the "drive" that it was complaining about went up by one digit..until it reached 10..
then it began at seven again and went back up..and so on..

I decided that his USB key was defective..and tried to "eject" it..
Windows said it was "in use"..So I decided to reboot ..and remove the key whilst the reboot was "dark"..

The "reboot" went slowly..but that can happen with windows..
had a very brief screen flicker when the logo was "swirling in"..

Upon logging in again..same thing..same alert box..
( I had removed the key while the screen was dark , before the BIOS screen came up )

So I pulled up task manager and shut down "updates"..which was taking up 49% of CPU
( twin core intel 2.2 with 4 gigs of RAM )
same alert box popped up ..but this time it said that "adobe acrobat.exe" was the process that was responsible for the alert box..
So I "killed" that in task manager..and it popped the alert box again..said that "something else.exe - no disk"

So I decided to run system restore..

The alert box stayed in place while system restore launched..
Restore ran very very slowly..

When I logged back into my desktop it said that system resore could not complete..and gave one of the usual cryptic numeric codes that windows uses that tell you nothing at all and that deep searching on the internet only brings back conflicting theories about..

So I tried another system restore ( in the meantime the alert box was back again..no drive etc etc ) ..

This time again it said that system restore could not complete..and gave a different number..
( the joys of windows ..incomprehensible cryptic error numbers since 20 years )

So I began searching for what the symptoms might mean..

and discovered that I had probably picked up an "autorun worm" from his USB key..

Checked the root of each drive..and sure enough..each had it's own autorin.inf file ( 1kb )..and each autorun.inf file points to a matching random 4 or five letter .exe or .pif ( around 100kb file )..names like ttpfy.exe or dukdo.pif etc..
One can delete the .exes or the .pifs..but hen one tries to delete the autorun.inf files in any drive ..windows says that it is being used or is open in whatever the name of the file that is in the small alert box with the 3 buttons at the time is on the screen..and refuses to delete it..

So ..I had seen on bleepingcomputer.com, a link ( and a tutorial ) for malwarebytes, I've used malware bytes on many occasions in the past to repair and clean compuers for many people ( usually download the free version..do the "clean up", tell them to buy the paid for version and they won't have to worry..and to get an antivirus ..I also usually install linux ..mint ..as a "dual boot" and suggest that they use it when surfing etc to avoid the drive bys that target win boxen )..so I downloaded malwarebytes via the link at bleeping computer.com..

<suggestion-complaint> It is impossible to know how upto date the program and it's data base is before installation..the version that bleeping computer download is mbam-setup-1.75.1.300.exe ..and it's data base is 244 days old !!..Why is the data base so old ?
There must be very very many people like myself who do not want to allow a machine to connect to the internet to update a data base / virus tables or "rules", and take the risk of something wiping out or corrupting data while they are downloading an "update"..the latest version of a data base and the program should always be the one that is availbale for download, especially if the download is from a site that you apparently have personal or commercial links with or which may be an affiliate of yours*

For some reason that I cannot fathom the index of files that allows one to decide what can be safely left or deleted when it is found by malwarebytes is even on bleeping computer .com..and not on your own site..for a freeware version that is strange ( normally one would expect that as you have to know what files are safe and which are hostile etc, in order for malwarebytes to "flag" them..that the tables which allow the users of your siftware to make sense of your software's results..would be on your own website )..and for someone who purchases a paid version, it is normal for the program's vendor to have the "tables" and or "indexes" of files and advice as part of the support on their own website..Sophos or AVG or Antivir don't sell their programs but the send you to a 3rd party site in oder to be able to make sense of what they sold you..

And there are many links at bleepingcomputer.com in the file index tables that lead to yet other websites..many of the files that malwarebytes finds and for which the only mention is to be found at bleepincomputer.com, then are linked from there to pages which return 404s at Sophos..so one is none the wiser..other files found by malwarebytes have as many as 20 entires at bleeping computer.com..and their advice as to whether they should be deleted or kept is contradictory ( even as to in which directory one would normally find the "good" ones )..or non existent..

This kind of detail about what to do with what your program finds ..really should be on your own website..even the people in China who copied your "rules" have better detail "on their own website", about what each file does and if it is safe to delete or not..
</suggestion-complaint>

Malwarebytes installed..and promptly told me that it was 243 days out of date ( now as I type this..for the second time ) 244 days out of date..and for the reasons given above about exposing my data to possible corruption etc from other sites or bots whilst downloading your updates..No Way am I going to connect to update a database that is 240 odd days out of date..

So I ran it as it was ( unupdated ) ..It found all the files in the roots of each drive..( and also flagged some other files..which meant I spent many hours kllooking all over the web ..and at bleeping computer..and in your forums for clues as to were they safe or not , would the machine start ( even in safe mode ) if they were deleted..or if they were left..( because maybe they were system files ) would the worm** be lurking in them and return again..

**From it's symptoms and behaviour..and the files it "drops"..and most of all from the names it gives to 3 "keys" it would appear that I have an autorun worm, variant of win32/SILLYFDC or something from the same family..it is just smaller than the size that I find mentioned on the web for this family of worms..usually they appear to drop an autorun.if and an exe or pif of around 200kb ( and not 100kb ) in the root of each drive..

The 3 keys that malwarebytes says are "objects" are ..
HKLM\SOFTWARE\Microsoft\Security Center|AntivirusDisableNotify ( and on the same line under "other" is ) BAD (1) GOOD (0)
HKLM\SOFTWARE\Microsoft\Security Center|FireWallDisableNotify ( and on the same line under "other" is ) BAD (1) GOOD (0)
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify ( and on the same line under "other" is ) BAD (1) GOOD (0)

( in case your forum software changes it..the character after the word "Center" in each line..is a "pipe"..and there is an actual whitespâce between Security and Center )

The problem I then have is ..

Malwarebytes finds the files and the keys..I choose "delete"
( from the scan window..after "quick scan" as recommended by your site )
"quick scan" takes around 5 minutes for mt 250 gig C drive
bleeping computer.com says to do "full scan"..takes around 4 hours..

I have now done both sorts of scan..many times ..

Because while malwarebytes is running even a quick scan..the "no drive" alert pop up happens..the pair of files are dropped to the root of each drive ..malwarebytes finds them..and the 3 "keys"..I choose "delete"..
Malwarebytes says "restart" the machine to delete properly..

I allow malwarebytes to "restart"..and the files and the keys and the pop up "alert" appear again as soon as I reach the desktop..

I have disabled "updates.exe" via autoruns at startup..and done the same for jusched.exe and acrotray.exe..
( both of which were appearing sometimes as the .exe process in the alert box that was complaining about "no drive")
Now each time I allow malwarebytes to remove and restart..
the alert box says that "Malwarebytes.exe - No Disk"
and although I can delete the "dropped".exe or .pif from each drive root..any attempt to delete the autorun.if in any drive root is met by windows with
"cannot be deleted is open in malwarebytes.exe"

AAAArghhhhyh!!

So..I thought..maybe my free malwarebytes is so old that it cannot do this..

I came back to the forums and read that there was an offer over the weekend..

So I followed the link..and bought a copy from your download page
mbam-consumer.exe..( cost me €11.00 including VAT or TVA as it is in France )
no problems with the download from cleverbridge..

Received this ..
Your cleverbridge reference number: 52850277
and my ID and key

Even registered and posted in the forum that the "deal" was still apparently running..

I thought all would be well..all I'd have to do was run mbam-clean..
and install my paid for malwarebytes freshly downloaded and hopefully up to date..
( the mbam clean linked to from all the links on malwarebytes.com is mbam-clean-1.60.20003.exe )

So I ran it..

It said I should allow it to reboot..so I did..

I then doubleclicked on my brand new mbam-consumer.exe ready to copy and paste my new ID and key..
and to finally be rid of this %*$0 worm..

and..and ..

I get..

an error alert box..

slightly bigger than the worm driven one..

big red circle..big white X in the circle..
"The setup files are corrupted, or are incompatible with this version of
Setup.Please correct the problem or obtain a new copy of the program"

WT$ went wrong ?

This is win7 ult 64 bit..

the out of date mbam from Bleeping computer sets up ..but dosn't get rid of the files that it says it is removing..
and the brand new downloaded and paid for mbam wont even set up..
and I closed the download page hours ago as the download was successful..

so I cannot "obtain a new copy of the program"

Please excuse any speeling errors..I'm waay too tired to proof read this after typing since 01.00 hrs my time
( it is now 08.45 here wednesday morning..) and to add to the difficulty, all of this is being typed on an azerty
keyboard ( as are all keyboards available in France except those from specialist sites and shops in Paris which is 500kms to teh east of me ) ..all the machines I run ( linux and win are English OS ) all their keyboards are French

[daledoc1]

Hi, artleo:
 
Wow!
That sure is a detailed and lengthy post -- it might be a bit "TMI" for most of us at the forum.
 
I gather that you are infected and are having trouble cleaning a computer from some sort of worm?
 

Unfortunately, no one security application -- not even a powerful program like MBAM -- can possibly provide 100% protection against every variant of every form of today's ever-changing, ever-morphing malware, or from every unsafe practice of some computer users.

Some of today's nasty malware is EXTREMELY hard to fully detect and remove.

Doing so safely requires the use of multiple, powerful tools and expert guidance.
We cannot do that sort of work here in this particular area of the forum.
 
So, if you think you are infected, for expert assistance, please follow the recommendations in this pinned topic: Available Assistance For Possibly Infected Computers.
A malware analyst will guide you through the cleanup process.

Thanks,

daledoc1

[artleo]

Thanks for  your reply..but you apparently missed the part where i said that I had uninstalled the freeware version of malwarebytes that was not removing the worm..and that the paid for version mbam-consumer.exe that I bought yesterday..won't install!! ..a malware analyst is not much use if the paid for program will not install ..

 

The impossibility of installing something that I paid for is the major problem..

 

I have been working on computers since the days of punch cards back in 73..

 

I don't need "expert guidance" that is going to tell me to use a succession of software ( I have read the expert guidance threads here..that is what they consist of ) ..

 

That is the "hit it with everything in the hope that something works approach"..

 

I need a link to a working and upto date version of the software that I paid for yesterday..the download link provided from the merchant page does not download working software..working being defined as possible to set up on the machine config ( OS and architecture ) that it was sold for..

[daledoc1]

Hi:
 
Sorry, but your post was VERY long, so I might have missed something therein.
Sorry, as well, but I am just trying to help.
I understand that you are frustrated.
 
If you are unable to install the PRO version on the infected computer, it's likely because of the infection.
Many forms of malware do just that.
The experts in the malware removal forum or at the help desk will have additional tools and workarounds to help to get your system cleaned.
They will help you to get MBAM PRO installed, activated and running.
 
Also, if the Free version is already installed on the infected rig, then it is not necessary to reinstall the program to convert it to "PRO".
All that is needed is to activate it using the license ID and key sent to you from the reseller, Cleverbridge, or located in the box or on the CD sleeve, if you  purchased boxed.
Here is how to activate: How to Activate the PRO version.
There are many more informative links and videos here: Knowledge Base
 
The official link to download the program is here: Where can I download the latest version of Malwarebytes Anti-Malware?
You will be taken to one of several official mirror sites. Here is a complete list (I have not verified all of them today, but they should work.)

• Malwarebytes Helpdesk
• Filehippo
• Fileforum.betanews
• CNet
• MajorGeeks
• TechSpot
• Bleepingcomputer
• PCWorld
• Snapfiles
• Tucows

Once again, to reiterate, we are not permitted to work on complex, malware-related issues here in this particular sub-section of the forum.

That includes the installation of MBAM PRO on an infected computer.
So, I will once again respectfully refer you to the available resources for that: Available Assistance for Possibly Infected Computers.
 
That's about all I can offer at this point.
 
If it's not sufficient, please wait for further assistance from another forum member or staffer.
 
Best regards,
 
daledoc1

[artleo]

I know how to "activate" the freeware version to make it a "pro version"..the problem with the freeware version is that it was so out of date..

I am not looking for links to external websites ( most of which on your list do not allow one to directly download any program but merely to download their own ad ridden "installer/ wrappers"..

Bleeping computer is already not linking to the latest version..and as the version number is not indicated at any of the "partner sites" that you mention..they may also not have the latest version..despite what they are supposed to be linking to when one downloads ( maybe if they were content just to drop an affiliate cookie instead of trying to bundle adware and toolbars with their "installers" they could link to the latest as opposed to their "enhanced versions of software )..

 

I already downloaded the official version direct from malwarebytes..I posted my transaction reference number received from cleverbridge above..

 

That is the version that will not install..and for which I have already paid..I do not need a bunch of links that point me to places that will either bundle "crap" and and installer ( and remember my machine is "offline" ) or which will require me to pay again for the same item..

[daledoc1]

That's about all I can offer at this point.

 

If it's not sufficient, please wait for further assistance from another forum member or staffer.

 

Best regards,

 

daledoc1

I'm sorry I cannot provide the answers you seek.

 

I've done my best, first to steer you to the promotional purchase discount, and to provide assistance here.

I am just a forum volunteer trying to help by providing links to official support pages.

I do not control where or how MBAM conducts their product downloads, but here is information about it: Why do you use download sites such as CNET, FileForumBeta and others? They sometimes have bad reputations

 

If you are unhappy with the product, I'm sure that they will be happy to issue you a refund:

What is the refund policy for Malwarebytes Anti-Malware?

 

I'll leave any further assistance for you to other members & staff.

 

Good luck!

 

daledoc1

[Firefox]

All the links that were provide above do not have any bundled "crap" as you put it. Malwarebytes works hard with those download sites to ensure that there installer is free from any added bundles. That being said, you can download the installer directly from =>HERE<= The Free version and the PRO version installer package is the same, what makes it PRO is when you enter the ID and KEY.

If however you are having issues installing Malwarebytes (not saying your infected, or due to an infection) you can always try getting Malwarebytes installed using Malwarebytes Chameleon, which this technology gets Malwarebytes running when blocked by malicious programs. You can get this from =>HERE<=

All in all its your computer and you can do with it as you please, we are only trying to help by providing you the official answers that are used here throughout the forum. Its up to you to decide if you want the help.

[artleo]

"All the links that were provide above do not have any bundled "crap" as you put it." 

 

I presume from that comment that you have not used CNET recently..their "installer" is bigger than the file size of malware bytes and any other program that they offer..

 

I have had to remove adware from peoples machines that have used every site linked to by daledoc1 except bleepingcomputer.com

 

They didn't used to do this kind of thing..now even tucows have some installs with toolbars and preticked boxes for Chrome etc..

 

The web has become far more sleazy since the days when we were all on slow modems and ads were banners and anigifs..

 

If an affiliate does not drop a cookie..( so the vendor can track who to pay ) .then they ad something..else how are they going to pay their bandwidth..running adsense is not enough..not even for "premium partners" if they are offering downloads..

 

You don't go to download site to click on an ad..less than 1 in 1000 visitors to a software download site will do so..

 

Malwarebytes "works hard" to make sure that their affiliates are offering only "clean" software and the latest versions of it doesn't seem to be working out too well if Bleepingcomputer.com offer a download that is over 240 days old !! that is useless for repairng machines which are offline..

 

I hear you about chameleon ( already read most of the tech pages here yesterday )..But if an old version of Malwarebytes can install OK..then either it ( the non onstalability of the paid for download ) is not down to the writers of the "nasty" knowing the name and the exact version number of the program..although the fact that the installer from Bleeping computer actually has a "version string" visible after the download ( but not a date stamp )..and that the official download from Malwarebytes simply calls itself mbam-consumer.exe might be making it a little easy for any malware writer to see which file name to block ..generating a random filename at download ( and informing customers prior to download that that was going to happen ..and why , would seem to me to be an elementary approach to circumventing the problem of malware identifying the program via it's name, especially since chameleon basically does just that..but only after the download..

 

All of which could also be 99% solved by just making sure that the latest version of malwarebytes was the only version that the various affiliates were allowed to link to..( verification that they were doing so is as simple as programming a crawler to check their download links..and telling them to give access to the aforementioned crawler, if they wanted to be an affiliate )..also the affiliate sites make it far easier to find their download links..For example there is not even a link to the program in the header or footer of this forum!! ( and this forum is on a subdomain of the program's own site!! )..marketing 101."link to your product's download page or buy button from every page of your site and every page of all subdomains..the search engines don't penalise you for it..they even like it..it reduces your "bounce rate"..and they really like a low bounce rate"..

 

One of you has to post a link to the latest version into a thread..if you didn't we'd have no way to get to it apprt from searching via search engine..and maybe hitting the download page of an affiliate with an out of date version..or one with "added" items..

 

like I said earlier..I have used the program many times in the past..it usually works very well, and would and do recommend it , but the making sure that the customer has the latest and most upto date version of it ( marketing , SEO, and support ) is ( in my recent experience ) severely lacking, if it needs volunteers to post links to the latest versions and to provide basic customer support..

 

So ..I'll try the link that you posted.. and try renaming the installer etc etc..or even reinstalling the out of date trialware version that actually will install, and manually updateing it's "rules" with a set that I found linked to from elsewhere in the forum..apparently the latest version of the "rules" dates to august of 2013..no way to find what is the latest compile date of the actual software..without downloading it and hoping it installs so as the "about" section can be read..putting the latest versions inside a"zip" file and including a read me ( basic guide as to what each tab and window does ) and a change log would be useful too ..and is the way that most everyone else does software, be it freeware, trialware..or paid ware..

[artleo]

Btw..the download link that you pointed me too as the latest version..is for exactly the same version number ( and thus is the same age ..ie 244 days out of date ) as the version linked to from bleepingcomputer.com..and is most definitely not the same version ..nor the same name..nor the same file size, as is the version that one gets when one pays for Malwarebytes at cleverbridge and is sent to the thankyou for your purchase here is your download link button..

 

So it will be interesting to see if ..

a) the version you linked me to as "the latest" will install..

 and 

b) if the code and key that were emailed to me from cleverbridge after my payment will even work with it..

 

c) perhaps someone from the Malwarebytes official staff can enlighten me ( and any other readers ) as to why the site here doesn't link ( or at least your link doesn't ) to the same program file as the paid for program page thankyou button..

[artleo]

Oh ..and d) If it is possible to update it manually with the "latest rules"..

 

are the paid for and the trialware really the same program ? ..their file size is not the same..and given that they both need an ID and a key entering to become activated they should be..

 

they should have the same MD5 hash etc if they are exactly the same.. 

 

if they are not..it would explain  why the one can install .and the other cannot..

 

btw..re ..the one which can be installed.

like other posters elsewhere in the forum here ..I too had it using over 40% of CPU rising to 60% CPU..

running processexplorer ( from system internals ) explains why..

despite it being told to only look at C drive ..when it reboots after first run ..it is actually

"looking" randomly into all other connected  Drives whilst it is running "protection"..one can follow the actions via the lower window on process explorer..

a bug?

[AdvancedSetup]

There are different links for different affiliates which contain their number and why the links are different and why we don't post an MD5 has as they're not 100% the same.

 

The latest version of the program came out on April 9, 2013 which comes with the latest rules that were available at that time.  Immediately after install the system asks you to update the database just the same as all other antivirus and antimalware products do.

 

At this time do you need assistance or were you able to get the program installed and working ?

 

If you want dedicated support (included with your purchase) you can contact the Helpdesk and they will assist you directly via email.

 

Thank you