Not infected? But MBAM won't run

[RRTT]

Hi

My friend's computer (XP SP3) was running very slow, malware was suspected because immediately before the slowdown she had gone to a (work-related) website in india that attempted to install malware. Symantec AV quarantined bloodhound.pdf.18, but who knows what evaded the AV software? (She couldn't remember whether she was using Firefox 3.5 or MSIE7 at the time)

I fixed a problem in Outlook that seems to have corrected the slowdown, so I'm not sure that the computer is really infected. However MBAM won't run. So I uninstalled Symantec AV, re-installed MBAM 1.43, ran it in safe mode and in normal mode. MBAM's behavior is unchanged: it opens to the scan tab for about 5 seconds, then shuts down. I see no other security software that might interfere. I also renamed mbam.exe to Winlogon.exe, no change in behavior. Process Explorer doesn't show anything like the SystemSecurity process or other problems that I can see. Rootrepeal found nothing, reported no suspicious sys files. In safe mode I ran 3 versions of rkill then SDFix, which found nothing. Superantispyware found nothing. Combofix found nothing, (but deleted qmgr0.dat and qmgr1.dat from docs & settings ...\microsoft\network\downloader\ where I suspect they were supposed to be.)

So I think the computer may be safe in fact. But why won't MBAM run?

I'd be glad to repeat any of these steps if you suggest.

Thanks

[Firefox]

Hello RRTT, and welcome to Malwarebytes.org

Sounds like you have done some work there..... Try following the below instructions.

We don't work on Malware removal in the general forums.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

[RRTT]

I did post there, it's down almost to Page 5 already on that forum, looks like a helper may get to it in the next day or two maybe (You guys are busy, I appreciate it)

http://www.malwarebytes.org/forums/index.php?showtopic=35367

Meanwhile, is there any possibility that it's NOT a malware issue, but some other peculiarity of this computer is keeping MBAM from running longer than a few seconds? What might do this? Doesn't seem likely, but the tools I've tried so far don't seem to find specific signs of malware on the computer.

I have done what I could as suggested at "Procedures to help resolve issues preventing MBAM from running"

(I can wait for a response on the other thread, if the question can't be answered without specific results from trying various things on this computer.)

Thanks

Richard

p.s. quick question: if it IS a malware issue, how concerned should we be that it may have spread over the network to other computers that were on the LAN with it?

If malware can escape detection by the tools I have been able to run, AND can spread over a LAN, this would be bad news indeed. I would assume it would similarly escape detection by MBAM (and the other tools), if MBAM could be run on the other networked computers? At least until it brings in other more detectable malware.

[noknojon]

Hi RRTT -

If it has been a few days on the HJThis pages , please answer to your own posting with "Bump - It has been 3 days since I posted" -

This will get you closer again - No need to fully repost your logs unless you are using that computer - Next have you tried to Un/re install the program (1 or even 3 times) as this may help - Read item #7 at this link below and making sure you reboot in the middle of the Un/re installs -Ignore license if using free - This ensures a clean new copy each time - Can you also keep trying to update the program -

http://www.malwarebytes.org/forums/index.p...ost&p=49525

As far as passing it on you have a very small chance of doing that (but it still depends on infection) - It is better to stop emailing from the infected one as that is the main spreader from you -

Most malware comes from sites that are meaning to pass it on to you - So it targets a specific machine rather than an entire network -

(whether she was using Firefox 3.5 or MSIE7 at the time)

This is usually not relevent

Thank you for taking the time to post back -

EDIT - Will keep looking for help for you - You also have 3 Unknown toolbars that may be related -

Run Full scans with SASpyware also as it may find something (update it first) - If you use Combofix be very careful and delete the program when finished as there was a problem with Combo and it was even pulled for a week or so until it was fixed -

[Firefox]

@ noknojon did you forget the link?

[noknojon]

Its OK - May be someone I sent there ??

Trying anything - Looking elsewhere - Also my ISP dropping out again -

[RRTT]

Thanks for the suggestions, noknojon

It's only been ~1 1/2 days, I guess there's more people with problems than there are volunteers. (If I post more details to the thread in the HijackThis forum, will I lose my place in line?)

Thanks for the reminder to uninstall Combofix

One of the MSIE browser extensions was from Real.com, I've disabled it and the MSN browser extension; I see no unidentified toolbars in MSIE. The computer did have AOL long ago but it's not shown by MSIE now.

I've uninstalled /reinstalled MBAM 3x, still no go.

I re-ran RootRepeal, still nothing shows up.

Will reinstall & scan with SAS, but the previous scans done with it WERE full scans so I don't expect a different result.

So unless you have more suggestions to rule out other non-malware issues with MBAM, I'll assume it's extra-sneaky malware and wait for help on the other thread. But if so, maybe this is a new problem the MBAM team needs to address specifically? (Or maybe just something specific to my cheap eMachines computer.)

thanks!

[RRTT]

OK, I finally managed to get my new USB wireless adapter to work on that computer. So I fired up Internet Explorer for the first time since I've had the computer here. It got redirected to two evil sites, and Nod32 (which I had installed without problem, although I could not install Avira or Avast) immediately caught some malware files and submitted them to Eset. Who knows what may have slipped past Nod32.

(The sites were specific pages at bitardhqpaid.com and maoospar.com, just FYI)

Last time I had the computer access the internet, I used Firefox which did not get redirected, so I saw no clear evidence of a problem.

So this IS MALWARE which was undetected by the other tools, and which managed to stop MBAM from running more than about 3 seconds. Be careful out there

[Firefox]

well one step further, now we know its malware, so only thing left is wait for the replies in the HJT section....

[noknojon]

@ RRTT -

You may have looked but please check your Internet settings from the link bellow - It makes no diff what browser you are using -

http://www.malwarebytes.org/forums/index.p...st&p=162097

Thanks -

[RRTT]

Thanks for pointing that out; change made.

I was under the impression that Firefox was somewhat more resistant to malware than MSIE. My friend thought she was probably using FF when she browsed that infected site, so I was a little surprised that the malware slipped past.

Would NoScript with Firefox be likely to minimize such drive-by downloads? Do we need to block iFrames too?