Jump to content
soapysouter

I've been hit by a bug and Malwarebytes won't run

Recommended Posts

Hi there

This is my first post so I hope I can give you the right information so that you can perhaps help me out.

I have an HP computer running Windows Vista and I use Avira Anti Vir Guard as well as Malwarebytes. In fact I find Malwarebytes picks up much more than Avira! I update both programmes pretty much every couple of days and run scans at least once a week if not more as I have been hit with some bugs in the past.

Last week I found that Google was being hijacked. The Google search page would come up and when I entered a search it would return a blank screen. I then found that something was disabling the online protection feature of Anti Vir Guard and it wouldn't let me switch it back on.

I was getting an Avira warning any time I went near the computer keyboard. It was saying that it had detected a WIN32 Trojan Agent .

My first port of call when this happens would have been Malwarebytes but I was unable to launch it. I tried deleting the software and re-downloading it but with no joy. I then tried downloading Malwarebytes on to a memory stick from my son's computer, installing it on the memory stick and then tried to scan my computer but it would not let me do that either. I also tried all this with the computer started in safe mode.

I got Adaware to run and it identified a bug called TR/Alureon.20480C.1. It said it had deleted it but needed to reboot the computer to complete the deletion. When I reboot the computer and run the Adaware scan the bug is back.

I can't do a system restore which I thought might help as there are no system restore points set now.

Now, whenever I start up in normal mode the computer tells me there is a problem and closes itself down.

I was beginning to think that the only thing I could do would be a complete system re-install but can't bear to think that might be the only solution.

ANY help would be very gratefully received.

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Can you get to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu)?

If so, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Share this post


Link to post
Share on other sites
Hi and welcome to Malwarebytes.

Can you get to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu)?

If so, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Thanks. I'm at work now but will do this as soon as I get home. I downloaded Combo Fix on to memory stick so can run it from that if I can't get it through a browser. When I open in safe mode, should it be safe mode with networking? Also, I don't know what a HijackThis log is. Is HijackThis another app? Sorry to be so dumb but this is the first time I've had to do this.

Thanks for your help

Share this post


Link to post
Share on other sites

Okay thanks for letting me know.

Yes HijackThis is another program; don't worry about it for now though.

-screen317

Share this post


Link to post
Share on other sites
Okay thanks for letting me know.

Yes HijackThis is another program; don't worry about it for now though.

-screen317

I ran Combofix last night and it hung for a long time then it came up with a screen telling me that there were possible rootkit (is that right?) issues and gave me a list of 5 files to write down and then it rebooted the machine. When the machine rebooted it went through the screens as shown on the "how to" webpage and deleted some files. I have the log report which I will post below this message but I just wanted to mention another couple of things. After ComboFix had run I was able activate Anti Vir Guard and also launch Malwarebytes (and I'm not sure if this was the wrong thing to do) and asked it to run a Smart Scan. It came up with one infected file and then after about 30 seconds the computer crashed. I will post the crash log after this message also.

When I rebooted my PC I was able to complete a Malwarebytes scan and I will post the log after this message.

I updated my AVG and let it run on a full scan overnight. When I got up this morning, it was at the Vista opening screen (the one where you are given the option of which user account to log in to) but when I tried to log in I got a message saying that something had occurred to limit Windows funtionality and that it was closing down and then it wouldn't let me log back on to Windows. Might this have been a side effect of ComboFix?

Anyway here is the ComboFix log report

ComboFix 09-08-26.05 - Neil 26/08/2009 22:41.1.2 - NTFSx86

Microsoft

Share this post


Link to post
Share on other sites

Hi,

Please completely disable your all of your protection programs before continuing.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

FixCSet::

KILLALL::

Reglock::

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Regnull::

[HKEY_USERS\S-1-5-21-1793114794-4045759619-3733177186-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X*v*i*D*-*A*R*R*O*W*-*M*F*D*s*s*"!\OpenWithList]

ReglockDel::

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\SKYNETfyrterwd]

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

After that, please open Notepad. Copy and paste the following text (starting with @echo off) into the Notepad document.

Navigate to File --> Save As..., and save the file as soapy.bat (make sure the Save As Type is set to All Files).

Save it to your Desktop.

@PEV -rtd -d+2007 "%ProgramFiles%\*" >Logit.txt
@Start Logit.txt
@DEL %0

Now navigate to your Desktop, and double click soapy.bat

A black window will open and close quickly. This is normal. A Notepad document should open; please post the contents of that document.

-screen317

Share this post


Link to post
Share on other sites
Hi,

Please completely disable your all of your protection programs before continuing.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

After that, please open Notepad. Copy and paste the following text (starting with @echo off) into the Notepad document.

Navigate to File --> Save As..., and save the file as soapy.bat (make sure the Save As Type is set to All Files).

Save it to your Desktop.

@PEV -rtd -d+2007 "%ProgramFiles%\*" >Logit.txt
@Start Logit.txt
@DEL %0

Now navigate to your Desktop, and double click soapy.bat

A black window will open and close quickly. This is normal. A Notepad document should open; please post the contents of that document.

-screen317

OK. Done all that and here are the logs posted in the order requested:-

ComboFix 09-08-29.01 - Neil 30/08/2009 12:56.2.2 - NTFSx86

Microsoft

Share this post


Link to post
Share on other sites

Hi,

Delete SecurityCheck

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java™ 6 Update 3

Java™ 6 Update 5

Java™ 6 Update 7

Adobe Reader 7.0.9

Restart your computer.

Get the latest version of Java and Adobe Reader.

Next, it is absolutely essential that you upgrade to Windows Vista Service Pack 1. What you currently have, has vulnerabilities that leave you wide open for re-infection. To upgrade, please click Start, type in Windows Update, click Windows Update, then download all available critical updates, including Service Pack 1.

Let me know how that goes and if there were any issues updating.

-screen317

Share this post


Link to post
Share on other sites
Hi,

Delete SecurityCheck

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Share this post


Link to post
Share on other sites
After you download the service pack, we will investigate the Winodws Update issue.

Let me know how it goes.

-screen317

I did all this last night and everything seems to be working fine and the Windows update feature seems to be working now also. I am extremely grateful for your help.

One last thing, I saw on the Windows download site a Service Pack 2 for Vista. Should I be downloading and installing that as well?

Share this post


Link to post
Share on other sites
One last thing, I saw on the Windows download site a Service Pack 2 for Vista. Should I be downloading and installing that as well?
Yes please do, and let me know if it was successful.

Be sure to disable your protection programs before installing it though.

Share this post


Link to post
Share on other sites
Yes please do, and let me know if it was successful.

Be sure to disable your protection programs before installing it though.

Hi there

I did install Service Pack 2 but stupidly forgot to disable the Avira Anti Vir gurad as you instructed. Everything seems to be working OK except Windows Security Alerts keeps telling me that Avira is turned off and then will not allow me to turn it back on even though according to the Avira screen everything seems to be activated. Will I have to delete the Avira package and re-install it do you think?

I have had a rash of trojan alerts which Avira seems to have dealt with. I ran a Malwarebytes scan which came up with 6 offending files which it got rid of. I rebooted and ran another full Malwarebytes scan which gave me the all clear. I then ran an Avira scan which came up with another bunch of files which it quarantined.

Do you think I need to do anything else? It certainly seems nowhere as bad as the first time I got hit.

Share this post


Link to post
Share on other sites

Hi,

Could you post the log from MBAM?

Download the installer for Avira, then disconnect from the Internet. Uninstall Avira while disconnected, restart your computer, then install it with the installer you downloaded. Restart your computer and reconnect to the Internet.

Let me know what issues remain.

-screen317

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.