Jump to content

MBAM exits within a few seconds on my laptop


timmy

Recommended Posts

Hi

MBAM is installed on my laptop with Windows XP. When I run MBAM, it closes within a few seconds even before quick scan starts. Here are some of the things that I tried as per the pinned topics on this forum :

1) Renamed mbam.exe as winlogon.exe. It still exits within a few seconds after starting winlogon.exe.

2) Installed "Avira AntiVir Personal"- It doesn't work on my laptop.

3) Tried the following things as per the pinned topic - "I'm infected - What do I do now?, Please follow these instructions to clean your system"

a) Disabled CD-ROM Emulation Software

;) Tried to run DDS after disabling script blockers - dds.scr just starts & exits without creating any .txt files

c) Tried to run GMER - It scans for a while & exits automatically. So, I couldn't save any logs. After a while, system crashes (only after running GMER).

4) Tried the following things as per the pinned topic - "Procedures to help resolve issues preventing MBAM from running"

MBAM won't run(Fix), SystemSecurity

MB won't run(Fix) - Total-Security (FakeAlert)

MBAM wont run (Fix) - av360 (Fakealert)

MBAM wont install or will not run. - CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC

I could not load other antivirus tools also. I keep getting disconnected from the internet though the DSL router is stable. System needs a reboot to reconnect to the net. System is pretty stable otherwise.

Is it possible to get help from this forum ?

Thanks.

Link to post
Share on other sites

  • Staff

Hi,

It looks like your computer is severly infected, because as you said, other programs won't work either...

DDS works? This is a .scr extension, but won't open a log afterwards? Is the log created? It should be in the same folder as DDS. If a log was created, then please attach it.

I wonder if malwarebytes would work if you rebame it to a .scr extension instead. So try to rename mbam-setup.exe to svchost.scr

Link to post
Share on other sites

  • Staff

Ok,

First I want to know for sure if this is an association hijack or not.

Can't you open any programs at all? Do they all exit?

Please try this version of malwarebytes: Click the link here

Save it on your desktop. You'll see it will have a random name, and will look similar like this: mbamrandom.gif

Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.

In case the installer (random named file) won't run either, rename it to EXPLORER.EXE and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.

In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a scan and let it remove what it found. Reboot afterwards (important).

After reboot, post the malwarebytes log together with a new HijackThislog.

In case you're having problems with above instructions, let me know.

Link to post
Share on other sites

>> First I want to know for sure if this is an association hijack or not.

>> Can't you open any programs at all? Do they all exit?

To answer your above question : I can run many other programs except antivirus softwares. I've been using the system like this for the last couple of months for video editing. Things were fine though I could not load antivirus stuff. Even now, I can continue to do video editing stuff.

I could browse the net as well. But, internet goes off frequently.

I'll try to load the version of malwarebytes that you gave in the above mail now & let you know.

Thanks

Sandhya

Link to post
Share on other sites

  • Staff
To answer your above question : I can run many other programs except antivirus softwares. I've been using the system like this for the last couple of months for video editing. Things were fine though I could not load antivirus stuff. Even now, I can continue to do video editing stuff.
In that case, it's not a fileassociation hijack, but malware that targets AV Tools.

I really hope you're not dealing with a file infector like Sality, because this one acts exactly the same. This one infects legitimate files as well, so in such case, its unfortunately a game over situation since there's too many damage already.

The link works fine though.. I just tried it.

I'll attach it to my post instead:

< attachement removed >>

You will need to unzip it first and then run the random exe file inside it. The file in the zipfile looks like a winrar file, but it's a selfextractor, so don't try to unzip that one as it doesn't need to get unzipped :)

I'll remove the attachement here again once you've downloaded it.

Link to post
Share on other sites

I could download the version of malwarebytes that you mentioned in another system. I could run the file JdYYr9R8j.exe & it created mbam-installer directory.

But, when I executed winlogon.exe, it asked whether to update the database. After clicking yes, it showed another screen about connecting to malwarebytes.org. After that, it resulted in an error - Error code - 732 (0,0)

Thanks

Link to post
Share on other sites

May be, I was not clear in my previous mail.

winlogon.exe asks whether you want to download the updated database ? If I click "Yes", it tries to connect to malwarebytes.org & then exits with error code - 732 (0,0)]. It doesn't even open the screen that has an option to scan.

If I don't select the option to update the database, winlogon.exe exits with the error code - 716 (2,0) - "The system cannot find the specified file".

So, I cannot run any scan in both cases.

Link to post
Share on other sites

  • Staff

Hi,

You have another computer right?

On that computer, install malwarebytes and update it.

Then navigate to the following folder:

C:\Documents and Settings\All Users\Application Data (assuming it's also XP - If not xp, then it's located here: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware)

In there, you'll find the folder Malwarebytes. Rightclick that folder and choose to zip.

Now transfer that zipped Malwarebytes folder to the infected computer and unzip it again to this directory:

C:\Documents and Settings\All Users\Application Data

So on the infected computer, that Malwarebytes folder should be here: C:\Documents and Settings\All Users\Application Data\Malwarebytes

This folder contains the updates.

Then try the random installer again.

Link to post
Share on other sites

  • Staff

Hi,

Now I see with what you are dealing with... Daonol aka gumblar. This one blocks most tools.

I see malwarebytes detects it fine here, but you should select to delete what it found and then reboot.

Have you done this? If so, then please run another scan with malwarebytes again and post the new log in your next reply.

Link to post
Share on other sites

  • Staff

That's the cause. It can be deleted, but it will restore itself immediately again if you delete it like that...

It needs to get deleted on reboot, but since this malware locks most tools, we have to find a tool it doesn't block.

BTW, if you rename Hijackthis.exe in the Hijackthis folder to firefox.exe, does Hijackthis run then?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.