MBAM exits within a few seconds on my laptop

[timmy]

Hi

MBAM is installed on my laptop with Windows XP. When I run MBAM, it closes within a few seconds even before quick scan starts. Here are some of the things that I tried as per the pinned topics on this forum :

1) Renamed mbam.exe as winlogon.exe. It still exits within a few seconds after starting winlogon.exe.

2) Installed "Avira AntiVir Personal"- It doesn't work on my laptop.

3) Tried the following things as per the pinned topic - "I'm infected - What do I do now?, Please follow these instructions to clean your system"

a) Disabled CD-ROM Emulation Software

Tried to run DDS after disabling script blockers - dds.scr just starts & exits without creating any .txt files

c) Tried to run GMER - It scans for a while & exits automatically. So, I couldn't save any logs. After a while, system crashes (only after running GMER).

4) Tried the following things as per the pinned topic - "Procedures to help resolve issues preventing MBAM from running"

MBAM won't run(Fix), SystemSecurity

MB won't run(Fix) - Total-Security (FakeAlert)

MBAM wont run (Fix) - av360 (Fakealert)

MBAM wont install or will not run. - CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC

I could not load other antivirus tools also. I keep getting disconnected from the internet though the DSL router is stable. System needs a reboot to reconnect to the net. System is pretty stable otherwise.

Is it possible to get help from this forum ?

Thanks.

[miekiemoes]

Hi,

Please try this method:

http://forums.malwarebytes.org/index.php?s...st&p=193288

Note, there's also renaming involved, however, in this case you have to change the file extension; so an .exe becomes a .com file instead.

[timmy]

When I change mbam-setup.exe to mbam-setup.com, it just starts & exits immediately without even going to language selection. If I change it back to .exe, it starts & goes to language selection screen.

Thanks

[miekiemoes]

Have you tried this in Windows safe mode already?

Also, what happens when you rename to firefox.exe or firefox.com?

[timmy]

mbam-setup.com doesn't work even in safe mode.

When I change firefox.exe to firefox.com, it doesn't work.

Is it possible to run mbam at all on my system ?

Thanks

[miekiemoes]

Hi,

It looks like your computer is severly infected, because as you said, other programs won't work either...

DDS works? This is a .scr extension, but won't open a log afterwards? Is the log created? It should be in the same folder as DDS. If a log was created, then please attach it.

I wonder if malwarebytes would work if you rebame it to a .scr extension instead. So try to rename mbam-setup.exe to svchost.scr

[timmy]

DDS is not creating any log in my system. It just exits immediately.

mbam-setup.scr seems to work. Do you want me to change mbam.exe to mbam.scr as well ?

[miekiemoes]

mbam-setup.scr seems to work. Do you want me to change mbam.exe to mbam.scr as well ?

yes please

[miekiemoes]

btw, make sure you also update mbam before you run the scan..

[timmy]

Changing mbam.exe to mbam.scr results in an error after running the .scr file - Error code : 700 (0,0)

[miekiemoes]

Ok,

First I want to know for sure if this is an association hijack or not.

Can't you open any programs at all? Do they all exit?

Please try this version of malwarebytes: Click the link here

Save it on your desktop. You'll see it will have a random name, and will look similar like this:

Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.

In case the installer (random named file) won't run either, rename it to EXPLORER.EXE and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.

In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a scan and let it remove what it found. Reboot afterwards (important).

After reboot, post the malwarebytes log together with a new HijackThislog.

In case you're having problems with above instructions, let me know.

[timmy]

>> First I want to know for sure if this is an association hijack or not.

>> Can't you open any programs at all? Do they all exit?

To answer your above question : I can run many other programs except antivirus softwares. I've been using the system like this for the last couple of months for video editing. Things were fine though I could not load antivirus stuff. Even now, I can continue to do video editing stuff.

I could browse the net as well. But, internet goes off frequently.

I'll try to load the version of malwarebytes that you gave in the above mail now & let you know.

Thanks

Sandhya

[timmy]

I'm not able to go to the link that you mentioned to download another version of malwarebytes. Can you please check the link ?

Thanks

[miekiemoes]

To answer your above question : I can run many other programs except antivirus softwares. I've been using the system like this for the last couple of months for video editing. Things were fine though I could not load antivirus stuff. Even now, I can continue to do video editing stuff.

In that case, it's not a fileassociation hijack, but malware that targets AV Tools.

I really hope you're not dealing with a file infector like Sality, because this one acts exactly the same. This one infects legitimate files as well, so in such case, its unfortunately a game over situation since there's too many damage already.

The link works fine though.. I just tried it.

I'll attach it to my post instead:

< attachement removed >>

You will need to unzip it first and then run the random exe file inside it. The file in the zipfile looks like a winrar file, but it's a selfextractor, so don't try to unzip that one as it doesn't need to get unzipped

I'll remove the attachement here again once you've downloaded it.

[timmy]

I could download the version of malwarebytes that you mentioned in another system. I could run the file JdYYr9R8j.exe & it created mbam-installer directory.

But, when I executed winlogon.exe, it asked whether to update the database. After clicking yes, it showed another screen about connecting to malwarebytes.org. After that, it resulted in an error - Error code - 732 (0,0)

Thanks

[miekiemoes]

Hi, don't worry about that for now (not being able to update).

Just try to run a scan....

[timmy]

May be, I was not clear in my previous mail.

winlogon.exe asks whether you want to download the updated database ? If I click "Yes", it tries to connect to malwarebytes.org & then exits with error code - 732 (0,0)]. It doesn't even open the screen that has an option to scan.

If I don't select the option to update the database, winlogon.exe exits with the error code - 716 (2,0) - "The system cannot find the specified file".

So, I cannot run any scan in both cases.

[miekiemoes]

Hi,

You have another computer right?

On that computer, install malwarebytes and update it.

Then navigate to the following folder:

C:\Documents and Settings\All Users\Application Data (assuming it's also XP - If not xp, then it's located here: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware)

In there, you'll find the folder Malwarebytes. Rightclick that folder and choose to zip.

Now transfer that zipped Malwarebytes folder to the infected computer and unzip it again to this directory:

C:\Documents and Settings\All Users\Application Data

So on the infected computer, that Malwarebytes folder should be here: C:\Documents and Settings\All Users\Application Data\Malwarebytes

This folder contains the updates.

Then try the random installer again.

[timmy]

I could run mbam after copying the database from the other system. It cleaned 9 objects. Only quick scan was performed.

I've attached Malwarebytes log here. I still have trouble installing HJT. HJTInstall.exe exits immediately after starting.

Thanks

mbam_log_2010_02_25__14_57_59_.txt

[miekiemoes]

Hi,

Now I see with what you are dealing with... Daonol aka gumblar. This one blocks most tools.

I see malwarebytes detects it fine here, but you should select to delete what it found and then reboot.

Have you done this? If so, then please run another scan with malwarebytes again and post the new log in your next reply.

[timmy]

Yes. Malwarebytes deleted whatever it found & then the system was rebooted before trying HJT.

Now, again, I can't run Malwarebytes using the installer that you gave yesterday. Winlogon.exe quits even before displaying the menu to perform scan.

[miekiemoes]

Hi,

Can you verify this file still exists?

C:\WINDOWS\jhbcr.foj

[timmy]

Yes. C:\WINDOWS\jhbcr.foj file is present.

[miekiemoes]

That's the cause. It can be deleted, but it will restore itself immediately again if you delete it like that...

It needs to get deleted on reboot, but since this malware locks most tools, we have to find a tool it doesn't block.

BTW, if you rename Hijackthis.exe in the Hijackthis folder to firefox.exe, does Hijackthis run then?

[timmy]

HijackThis doesn't run even if it is renamed as firefox.exe.

So, what next ?