Jump to content

Recommended Posts

On my dad's WINDOWS VISTA SP2 machine he has security essentials installed but somehow he got duped into installing Personal Security. Now I am not even able to open webpages on that computer. Whenever I open IE8, it just says connecting and shows nothing but white. The desktop icons also dissapears everytime Personal Security pops up on start up or when I try to uninstall it from ADD/REMOVE. I burned mbam-setup from my uninfected computer into a CD and then transferred it to my dad's desktop. I followed these instructions - http://forums.malwarebytes.org/index.php?s...+security\

Unfortunately I am not able to run MBAM at all even after renaming it. All I get is a runtime error. Sometimes, with other names like "firefox" nothing happens even. Please tell me what I should do next. No worries about this uninfected computer I am typing from, it has NORTON 360 and I am very cautious about where I browse or links I click.

Link to post
Share on other sites

Hi, it's been 48 hours now and now one has replied yet. Here's some more details about what I have tried so far -

I was able to intall MBAM on the infected computer but only after renaming it. Unfortunately I am not able to run MBAM at all even after renaming it. All I get is a runtime error. Sometimes, with other names like "firefox" nothing happens even. The same thing happens when I try to run GMER or DDS in order to scan and post logs. Nothing happens when I double click on them. Please tell me what I should do next. No worries about this uninfected computer I am typing from, it has NORTON 360 and I am very cautious about where I browse or links I click.

Link to post
Share on other sites

;)

Sorry for the delay

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

Link to post
Share on other sites

Hi, thank you very much for replying. Unfortunately I seem to be unable to start Combofix at all. When I double click it, Windows Vista User Account Control asks me wether I want to Cancel or Allow the ComboFix.exe. When I click Allow, the User Account Control pop-up goes away but nothing else happens. I have turned off Microsoft Security Essentials Real Time protection, but obviously there does not seem to be a way for me to turn off Personal Security from the task bar.

I am also unbable to turn off the windows firewall from the security center window and I cannot get to it from Control Panel because I cant even seem to open Control Panel now. It seems the only thing I can open is My Computer and My documents.

Link to post
Share on other sites

I was able to start ComboFix just now by renaming it to "explorer.exe", a green progress bar poped up but then nothing else happens after. I did notice that the MS Security Essentials icon on my taskbar was gone though. But nothing else happens.

Link to post
Share on other sites

Hi, it still seems unbable to run after the green progress bar. I've tried several times with serveral different ways of typing that path even making a shortcut to it. I even tried typing "/killall" without a space after "explorer.exe". I also tried being more specific by typing "C:\Users\(profile name)\Desktop\explorer.exe" and then "/killall". Same thing. Sometimes two windows would pop up for a split second after or during the green progress bar. At one time, after the green progress bar (or I think it was before) Personal Security gave me a warning of some trojan and asked me if I wanted to block it. Thinking that it was probably a fake I clicked NO. Immediately I saw what looked like a fake BSOD followed by a black screen that seemed to resembled the Vista pre-load screen but mentioned something about an unregistered version of Personal Security. After which it came back to the desktop and started the shutdown process.

Link to post
Share on other sites

Before you ran combofix did you completely disable Norton 360? That can really block a lot of these tools from running.

No, I do not have Norton at all on the infected computer, just on the one I am typing on. The only anti-virus program I have on the infected computer is Microsoft Security Essentials and I made sure to turn off Real Time Protection on it. I don't know if it matters, but Norton Internet Security was intalled on the infected computer a few months ago before I uninstalled it and replaced it with MS Security Essentials.

Link to post
Share on other sites

Okay lets try this

Please download ComboFix again to your desktop, but make sure you save it to your desktop as winlogon.exe (not rename it after the download).

After the download completes, double-click on Winlogon.exe and let me know if you still have issues.

Well thing is, I can't download ComboFix to the infected computer's desktop directly. I have to save it first on this uninfected computer and either transfer it to the infected computer via burned CD or Flash Drive. Does that make a difference? Or do I just save it from here first with the new name and then transfer it?

Link to post
Share on other sites

The reason I can't download anything directly to the infected computer right now is because Personal Security seems to be preventing my IE8 browser to be working. Whenever I launch IE8, it just says connecting and shows all white. Even the menus don't fully show up. It looks like it's forzen, and I'm not even able to close it afterwards. I don't have any other browswer installed though.

Link to post
Share on other sites

Hi, it does not appear to make a difference. I saved it to my desktop in my clean computer as "winlogon.exe", transfered it to my USB drive and then transferred it to my infected desktop. Does the same thing, progress bar runs, some window pops up for a split second and then nothing. I tried running with the killall command as well and does not seem to make a difference.

Link to post
Share on other sites

how long have you waited?

Waited until I tried it again? I'd say a 5-10 seconds each time, maybe less. I thought since it kept closing the windows and then nothing happens that it would be pointless waiting. Afterwards I just give up and shut the infected computer down. Do you want me to try it again and then just leave it alone for a while?

Link to post
Share on other sites

yes believe give it a few minutes ten minutes at most.

Gonna try running it all day today and wait 10 minutes or so before trying each time. If any Personal Security "warnings" come up should I bother closing them or just leave them alone?

Link to post
Share on other sites

Alright after several attempts at running ComboFix I decided to try it in Windows Vista Safe Mode. Once loaded there, I notice Personal Security did not pop-up for once nor did my desktop icons disappear. I double clicked on winlogon.exe and this time combofix poped up a DOS window after the progress bar. It did it's scan, but I did notice it mentioning stuff that it got denied access to because of Admin permissions or something. Anyways this was the report it logged -

ComboFix 10-02-18.05 - Ernie Chi 20/02/2010 13:33:56.1.1 - x86 MINIMAL

Microsoft

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.