Jump to content

Recommended Posts

Hello,

I am new here and my problem sounds a bit weird and is strange to describe, so please bear with me while I try to get it together in as short a way as possible (which isn't very short, unfortunately). I'm still not sure if MBAM 1.50 is really to blame, but tell me what you think.

First, for it might be important, I have an elderly Pentium4 running Windows XP/SP3. I thought I had a pretty good protection:

Avira Antivir as Antivirus

Sygate Firewall

MalwareBytes 1.46 and SuperAntiSpyware as on demand schanners (updates and quick scans daily, full scans every other week)

Sophos AntiRootkit

Sandboxie for surfing

Time Freeze for every new install

CCleaner to keep all the rest clean

Mailwasher to check emails

Okay, all was good so far until I got the idea to update MalwareBytes 1.46 to 1.50 because I read somewhere it is so much faster. Maybe it was a mistake, but I followed the program's instructions and simply installed the new version on the old, using its web update. I then let it have a full scan.

So far, so good. First thing the new MBAM did was flagging Sun Java as having Trojans. I trusted MBAM and didn't really need Sun Java anyway so I uninstalled it with Revo Uninstaller. It probably was a false positive, but what the heck.

Then, after the next system start I noticed Avira demanding to connect to the internet which it never did before, causing Sygate to note the failed attempt as the comp wasn't even online. (My usual morning routine is drinking coffee, going online and update Avira, SAS and MBAM, so none of the three sits there with outdated defs or some such.)

I also run quick scans every morning with MBAM and SAS, neither found anything.

Next morning, same thing, Sygate showed Avira trying to go online and I checked the msconfig startup to see if there was anything wrong, thus detecting two strange entries, consisting merely of blank squares as names (like there wasn't the right font to display). The locations were

HKCU\Software\Microsoft\WindowsNT\Currentversion\Windows:Run

HKCU\Software\Microsoft\WindowsNT\Currentversion\Windows:Load

I unchecked them and restarted, and Windows started popping up messages that it couldn't find [two squares here]. I could click them off and the system seemingly worked normal.

I ran a full scan with both MBAM and SAS. MBAM found nothing, SAS found a thing called:

HKLM\Software\Microsoft\WindowsNT\Currentversion\Winlogon (taskman - )

I let SAS quarantine it and restarted.

Same as before, in the startup list the strange entries were back, four times:

HKCU\Software\Microsoft\WindowsNT\Currentversion\Windows:Run

HKCU\Software\Microsoft\WindowsNT\Currentversion\Windows:Load

Software\Microsoft\WindowsNT\Currentversion\Windows

Software\Microsoft\WindowsNT\Currentversion\Windows

By then, I was certain that it had something to do with the new MBAM version, and I uninstalled MBAM completely, using Revo Uninstaller.

The entries were still there.

Searching in the net, I've read that such entries had something to do with win.ini and system.ini which XP wouldn't really need. I ran msconfig again and tried a selective startup, unchecking win.ini and system.ini

Yup - this did the trick, the entries were gone, CCleaner took care of the remnants, all well that ends well - sadly, not.

I happen to have an ageold program I still need and that antiquity still needs win.ini. (AAAARGH!!!!)

With the win.ini back in - or any normal startup - the whole crap starts again and the startup entries are back.

New full scan with SAS - nothing detected

Full scan with Avira - nothing

Sophos Anti-Rootkit - nothing

Dr. Web CureIt - Express scan and full scan - nothing

Now, I'm at all wits end. I'm not a computer freak, and I would be hopelessly lost tapping around in the registry looking for problems, as I couldn't tell the problems from the normal there.

I want my MBAM back, but don't dare to install 1.50 again - could it be better to stick to 1.46? I don't want to diss it, it was one of my most trusted programs, and one half od my daily morning-coffee-routine.

Most important, how did it all start?

Before installing 1.50, the last new installation I had was the Caminova DjVu plugin which I installed Nov 28 (using Time Freeze). I doubt it has anything to do with anything.

I only surf with Sandboxie, the sandbox gets deleted on closing. I was on no suspicious websites, did not download anything, had no email attachements, nothing.

All I did was

1. installing MalwareBytes 1.50

2. uninstalling Sun Java

oh, and 3. SAS found the first malware in months.

Can it be that SAS found only half of the malware or quarantined only half of it so the other programs cannot find anything now?

What is that on my computer? I reckon whatever it is,m it is still there, as unchecking win.ini and system.ini is merely shoving it under the carpet.

Has it anything to do with MalwareBytes??

I'm slowly getting desperate, even though the computer seems to work fine now. But, as said, I need the win.ini back, and with the win.ini the trouble will start again. I'm at a complete loss at what to do now.

Thanks for all your patience, and I do so hope someone can help.

Feline

Link to post
Share on other sites

Hi Feline,

I have an almost identical problem to you:

2 Lines of blank squares in msconfig startup relating to registry entries:

HKCU\Software\Microsoft\WindowsNT\Currentversion\Windows:Run

HKCU\Software\Microsoft\WindowsNT\Currentversion\Windows:Load

These have appeared on 2 of my PCs at the same time (Laptop & Desktop). The PCs aren't networked and no media is transferred from one

to the other. It happened just after upgrading MBAM on both machines to version 1.50.

I've also had problems with my internet connection on the Laptop.

I've thoroughly scanned both computers with 4 different makes of Anti-malware software including Malwarebytes and the logs are clean.

Can this be a coincidence?

Link to post
Share on other sites

Hi Presario,

thanks for your reply, good to know I'm not alone. I'm still looking around but found no solution yet.

My computer isn't networked (other than that it goes into the internet using RASppoe (or so). I didn't experience any troubles with connecting to the net.

What kind of other makes of antivirus software did you use?

As I wrote, the only one who detected something was SuperAntispyware, even though it apparently did a lousy job in removing the problem. But, when the startup entries are back in (after a normal startup), Windows at least cannot find whatever they're looking for.

It would be interesting to find out what our computers have in common, but maybe we better wait for an expert here to ask specific questions before we start posting our complete hard drive contents.

Did it help you to uncheck win.ini and system.ini?

(in msconfig, the first tab (General), then select 'Selective startup', and uncheck 'process win.ini' and 'process system.ini')

This will at least temporarily allow to remove the faulty startup entries, but it is only a cover up, not a solution. That thing, whatever it is, still sticks in either win.ini or system.ini, albeit I cannot see anything suspicious in either one. (But then, I'm a computer illiterate...)

Please keep on posting if you find out anything.

Feline

Link to post
Share on other sites

  • Root Admin

I would not suggest using MSCONFIG as a startup control application. It should be used as a debugging tool. If you want to control startup items more interactively I'd suggest something like AutoRuns from Microsoft.

Please start MSCONFIG and set it back to NORMAL startup and reboot the computer. Then run the following script and post back the logs.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.

    When done, DDS will open two (2) logs:

  1. DDS.txt

  2. Attach.txt

  • Save both reports to your desktop

  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Hello Ron,

thanks for your reply and advice. I almost feel a bit stupid now, as I nearly didn't dare to run a normal startup (reading that another guy had so much trouble going online et al), but then did it anyway. The strange entries are gone, both in msconfig and CCleaner (and my win.ini-needing antiquity runs as well).

I ran the dds.scr nonetheless, as I would like to know what it was that plastered those cryptic hieroglyphs into my startup - and more important: is there a risk that it comes back? And how could they be gone? SAS couldn't have done it, as the entries were still there after SAS removed the alleged malware. And all the others didn't find anything. Malwarebytes was uninstalled, but even after the removal the entries were there. I can't see what made them go away.

Also, I'm hesitant to install Malwarebytes 1.50 again, in fear it might all start again. I think I better reinstall 1.46, as I was perfectly happy with it and it never caused any problems. I still have the old setup.exe on my hard drive.

Oh well... maybe you can still see something that might have caused the conflict, or whatever it was, so I attach the two files.

By the way, I usually don't use msconfig to handle the startup entries, but CCleaner. I just have the habit to look it up for a quick view.

Oh, and another thing - in msconfig, both win.ini and system.ini are back to their usual treeview. During the 'crisis', they showed up as plain text files. That was strange as well, but I forgot to mention it.

Thanks so very much for your time and help, as I really want 'my' MBAM back,

Feline

zip.ZIP

DDS.txt

Link to post
Share on other sites

Hi Feline & AdvancedSetup,

Thanks for the replies.

Feline, I forgot to mention earlier that I scanned my Laptop with SAS and also found:

HKLM\Software\Microsoft\WindowsNT\Currentversion\Winlogon#Taskman

This is being discussed on the SAS Forum and is thought to be a 'False Positive'.

I was busy Formatting the Hard Drive and Restoring the Software of the Laptop when I typed my first message so I missed a few facts.

I wish I'd seen your Post literally minutes earlier, then I would have waited.

It was a few days ago that SAS detected the Winlogon#Taskman Malware.Trace on the Laptop and then I discovered the suspicious

lines of squares in the Startup of both the Laptop & Desktop.

The Desktop PC does not have the Winlogon#Taskman Registry entry so I don't think the two are connected.... wow, this is getting

complicated!

Here's my situation:

Both PCs Running Windows XP SP3.

Laptop - SAS detected Winlogon#Taskman Malware.Trace / I discovered suspicious squares in Startup.

Scans with Avast, MBAM & Ad-Aware were clean. I spent the last few days investigating and probably making things worse.

I lost all my Restore Points and my Internet connection, so I decided the easiest option was a Format & Recovery.

Desktop - I discovered suspicious squares in Startup. I unticked them, but then received error messages on Restart. I replaced

the ticks and the PC started perfectly again, but obviously squares were still in Startup. I then used System Restore to

go back to 23/11 (MBAM back to 1.46) and everything was fine (Squares gone).

Scans with Avast & MBAM clean at all times (even when squares present).

The Squares in msconfig Startup were the thing that puzzled me. Appearing in both independent PCs at the same time. When you

mentioned the MBAM version update it seemed to make sense - it's the only action linking the 2 PCs.

AdvancedSetup, thanks a lot for the info and advice about MSCONFIG and startup control, and also the offer to Analyze Logs.

Unfortunately the Laptop is in the process of a Software re-build and the Desktop is back running as sweet as a nut. I think

I'll leave it with MBAM 1.46 for a while if that's possible and see what unfolds.

Presario

PS. Feline, you posted your message as I was typing mine, so some of mine might not be relevant. You are a faster typer than me, ha ha!

Link to post
Share on other sites

Hi Presario,

yikes, it seems I was rather lucky in all this. I was pointed to the SAS thread but I'm not sure if it was a false positive. Also, SAS didn't detect it during the quick scan (as I do one every day, with both SAS and MBAM). It only appeared during the full scan.

However, I'm glad my problem seems to be gone, but I still submitted my logs, as I reckon there has to be something that caused a conflict of sorts. I think I'll also reinstall 1.46 as I'm afraid it might all start again with 1.50, but this can't be it. I have no idea how long they will provide updates for the older version and I would hate to lose MBAM altogether. And believe me, I DID feel stupid when I restarted my computer in normal mode and it came up as if nothing had happened. I never felt so foolish.

But then, I'm also afraid it might come back. Drat!

Feline

Link to post
Share on other sites

  • Root Admin

Hello Feline

I don't see anything obvious that would be Malware in that log. I see you have what appears to maybe be a left over driver from ZoneAlarm maybe or it could be there from the Tuneup utilities.

I would highly suggest not staying on 1.46 as the 1.50 is vastly improved and much better able to protect your system especially if using the paid Pro version.

If an issue crops up then we'll try to see what's causing it and see if we can fix it. This is my suggesting for you to replace it cleanly.

Make sure you disable your AV and other security applications temporarily and run the 1.50 installer.

I'll post the process for all operating systems but you can follow the one for XP.

Please do the following to see if it resolves the issue:

Windows XP:

  • Click on Start and select Control Panel
  • Open Add/Remove Programs
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important
  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or post to ask and we'll explain how to do it.

Windows Vista and Windows 7:

  • Click on the Start vista-7-start.png button and select Control Panel
  • Click on Programs and Features
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important
  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or post to ask and we'll explain how to do it.

Link to post
Share on other sites

<snip>

I have the same problem with a PC I'm trying to fix for a friend (little squares)

and when I came upon this forum in a Google search I wanted to see it I had the little squares on this, my main PC.

Since Feline mentioned

HKCU\Software\Microsoft\WindowsNT\Currentversion\Windows:Run

and

HKCU\Software\Microsoft\WindowsNT\Currentversion\Windows:Load

I was able to see where my little squares should have been.

I happen to have Traditional Chinese (etc.) fonts on my PC and the little squares look different.

I made a couple screen shots and when my wife gets done with whatever she's doing, I'll have her translate.

In the mean time...

Oh and PS, I'm not having any problems with these two startup things, I just wanted to see if I had 'em.

My friend's PC is another story.

I think the reason I had no problems is I unchecked them before I downloaded and installed your software; I rebooted after making the config changes but before the download.

Link to post
Share on other sites

Hey uhclem,

Has your wife translated the startups? I have the same problem... Downloaded autoruns which now shows these as unchecked and "File not found" , but msconfig still shows it as checked...

I have a idea... Could this be the remains of a Malware? With the Malware executable gone, but it still is able to replicate it self and tell the Registry to load the Malware, but the file it says to load has been deleted?

Thanks...

Link to post
Share on other sites

Hi all,

These are random 'junk' characters: they don't mean anything helpful (though they do in another context, certainly not here). I have the same problem. I unchecked two items located at HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:Run and :Load in msconfig startup, and after restarting they replicated themselves, but with a new item name (another random character plus a symbol). If you don't have East Asian compatibility installed in your Windows, I assume you'd see little squares instead of the characters. Unfortunately I don't have time to start working on this problem now. Looks like a long and difficult process for a newbie like me. But any tips (a quick fix!?!) are of course appreciated!

--Al

Link to post
Share on other sites

  • Root Admin

Best way to deal with this is to uncheck from msconfig > apply > ok.

Choose to exit WITHOUT reboot. (do not reboot)

This will create two new entries in there, but this time, the new ones will be visible in HijackThis, so check and fix these in HijackThis - run a scan and when found put a check mark on them and then click to remove.

F3 - REG:win.ini: load=???

?

F3 - REG:win.ini: run=???

?

Then merge the following regkey in order to delete the 2 other ones being disabled my msconfig:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run]

Then reboot and after reboot check if still there.

If you need help on how to create or use that registry change please let us know.

Link to post
Share on other sites

Ron

I found a similar issue on my machine, :)

I found the key and took an export what is it :)

a registry export shows

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"DebugOptions"="2048"
"Documents"=""
"DosPrint"="no"
"load"=""
"NetMessage"="no"
"NullPort"="None"
"Programs"="com exe bat pif cmd"
"Run"=""
"Device"="HP Deskjet 3740 Series,winspool,Ne02:"

an OTL reg scan shows

========== Custom Scans ==========

< HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows >

"DebugOptions" = 2048

"Documents" =

"DosPrint" = no

"NetMessage" = no

"NullPort" = None

"Programs" = com exe bat pif cmd

"Device" = HP Deskjet 3740 Series,winspool,Ne02:

"load" =

"Run" =

< End of report >

doesn't show up in HJT or Spybot S&D's startup tool

I was going to delete it but wanted to ask someone first,I have ran scans and didn't get any hits

Link to post
Share on other sites

  • Root Admin

I'm not 100% certain of the cause. I'm guessing that something caused a write failure which then left a non printable character ??

If you follow the advise above you should be able to remove it safely though. We have not seen or heard of any ill behavior by removing the entries.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.