Jump to content

Infected - Won't Allow update

Phil64

By Phil64
in Resolved Malware Removal Logs

 Share

Recommended Posts

Phil64

Phil64

Posted
Posted

Hi,

I am definitely infected with some sort of fake anti-virus software "Windows Security Scan" says I am infected, scans continuously. Blocks web sites opens pornographic sites in Explorer. Was able to get to internet by using Firefox set Lan to "No Proxy" when Default Proxy is set nothing. I was able to install Mawarebytes, but it would not open until I used a program called "Rkill" which then allowed it to open. When I try to update I get the following error - "Program_Error_Updating_(122,0,MultiBytetoWide(Char) The data area passed to a system call is too small"

Defogger then ran, but did not ask to reboot. The logs are as follows and the attach.txt and ark.txt are attached via a zip file. Any help would really be appreciated, this is one nasty virus. I don't see any place to attach the zip file with the 2 other logs. What should I do?

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as Phil on 01/10/2011 at 21:44:54.

Processes terminated by Rkill or while it was running:

C:\Windows\SysWOW64\mdmcls32.exe

C:\Windows\SysWOW64\svcprs32.exe

C:\Windows\SysWOW64\cfgmig32.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

C:\Users\Phil\Desktop\rkill.com

Rkill completed on 01/10/2011 at 21:45:32.

Malwarebytes' Anti-Malware 1.43

Database version: 3458

Windows 6.0.6002 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18882

2/15/2010 10:23:59 AM

mbam-log-2010-02-15 (10-23-59).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 226200

Time elapsed: 33 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-12-12.02) - NTFS_AMD64

Run by Phil at 21:56:03.93 on Mon 01/10/2011

Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_23

Microsoft

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

post-32477-1261866970.gif

Please don't attach the scans / logs, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Please open up Notepad and copy all of the items in the code box below.

Change the "Save As Type" to "All Files". Save it as fix.reg on your Desktop.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-

Now double-click fix.reg.

A window will come up asking if you want to let it merge with the registry.

Click yes.

Reboot and post a new DDS scanlog.

Link to post
Share on other sites
Phil64

Phil64

Posted
  • Author
Posted
post-32477-1261866970.gif

Please don't attach the scans / logs, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Please open up Notepad and copy all of the items in the code box below.

Change the "Save As Type" to "All Files". Save it as fix.reg on your Desktop.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"=-

Now double-click fix.reg.

A window will come up asking if you want to let it merge with the registry.

Click yes.

Reboot and post a new DDS scanlog.

I'll do this as soon as I get home. Do I need to reboot after making the registry change? Or should I just try and run the MalwareBytes update right away? I can't run anything at all with using "Rkill" I guess I still should keep using it to get some control of my machine.

Thanks for the quick reply

Link to post
Share on other sites
Phil64

Phil64

Posted
  • Author
Posted

LD,

Before I heard from you I installed Spybot Search & Destroy, I followed your instructions regarding the Regedit rebooted and still had the same error when I tried to update MBAM. Here is the DDS log I ran after the REGEDIT and reboot:

DDS (Ver_10-12-12.02) - NTFS_AMD64

Run by Phil at 18:47:05.90 on Tue 01/11/2011

Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_23

Microsoft

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites
Phil64

Phil64

Posted
  • Author
Posted

Had a bit of trouble running combfix. Said corrupt download, redownloaded and ran but got an error while it was running a popup saying "PEV.cfxxe has stopped working, not sure if that was normal, here is the log:

ComboFix 11-01-10.04 - Phil 01/12/2011 7:53.1.4 - x64

Microsoft

Link to post
Share on other sites
Phil64

Phil64

Posted
  • Author
Posted

My computer is much better, Thank you so much. I was able to update both Spybot and my CA antivirus, no problems. I ran a Spybot scan, nothing detected, didn't want to run the antivirus scan yet because that usually takes a long time to run. Both Firefox and IE seem to be working fine. I uninstalled MBAM and redownloaded it, installs fine until it gets to the update screen where I get the same message - "Program_Error_Updating_(122,0,MultiBytetoWide(Char) The data area passed to a system call is too small". I ran as Administrator and disabled both CA antivirus and Spybot.

I appreciate the time you are taking, once again thank you.

Phil

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

You have to enter the exceptions for MBAM into your CA products (both av and firewall) like listed below.....

Please exclude the following files from your antivirus:

Note: If using a software firewall besides the built in Windows Firewall you'll need to exclude them from it as well

For Windows Vista or Windows 7:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll

C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

C:\Windows\System32\drivers\mbam.sys

C:\Windows\System32\drivers\mbamswissarmy.sys

For 64 bit versions of Windows Vista or Windows 7:

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\zlib.dll

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.dll

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

C:\Windows\System32\drivers\mbam.sys

C:\Windows\SysWoW64\drivers\mbamswissarmy.sys

Note: If using a software firewall besides the built in Windows Firewall you'll need to exclude MBAM.EXE from it as well

Link to post
Share on other sites
Phil64

Phil64

Posted
  • Author
Posted

No Luck, still get the same error. I added the files to the CA Antivirus exceptions all except for "C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll", which does not appear anywhere on my system. I could not find any place in the CA Firewall to add these programs, so I just disabled the firewall temporarily and tried to update, I still get the same error.

Can I update manually?

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted
No Luck, still get the same error. I added the files to the CA Antivirus exceptions all except for "C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll", which does not appear anywhere on my system. I could not find any place in the CA Firewall to add these programs, so I just disabled the firewall temporarily and tried to update, I still get the same error.

Can I update manually?

Give it a try. Open MBAM and check for updates.

If that doesn't work:

Windows Vista and Windows 7:

  • Click on the Start button and select Control Panel
  • Click on Programs and Features
  • Uninstall Malwarebytes' Anti-Malware
  • Delete this folder if listed C:\ProgramFiles(x86)\MALWAREBYTES ANTI-MALWARE
  • Delete this file if listed C:\Windows\System32\drivers\mbam.sys
  • Restart your computer very important !
  • Download and run mbam-clean.exe from Here

It will ask to restart your computer, please allow it to do so, very important

After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from Here

Link to post
Share on other sites
Phil64

Phil64

Posted
  • Author
Posted

No luck, followed your instructions to the letter still get the same error - "Program_Error_Updating_(122,0,MultiBytetoWide(Char) The data area passed to a system call is too small"

Error occurs after install before program loads when it asks to update and also when in the program and I click the Update Tab.

Could this be a Vista 64 bit problem?

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

I'm not sure what is causing that.

Do this and let me know how it's running.

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :)

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*] WOT , Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

    Green to go

    Yellow for caution

    Red to stop

    WOT has an addon available for both Firefox and IE.

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

Link to post
Share on other sites
Phil64

Phil64

Posted
  • Author
Posted

LD,

Thanks for all your help, really appreciate it. Everything seems to be back to normal. Wasn't able to get MalWareBytes updated, but everything seems to be working fine, so I am fine with that. Checked my settings and will check into the Web Site identifier program you mentioned. All the best and once again thank you.

Phil

Link to post
Share on other sites
Phil64

Phil64

Posted
  • Author
Posted

Boy they sure bury that setting. Still no luck. I get the same error. I added the line to my exceptions nothing. I have uninstalled Spybot, and then I even went into task manager to disable any CA process and services and tried again still same error. Thanks for helping if I figure it out I'll definitely post. Let me know if there is anything else I can try. I am sure it must be some weird setting.

Link to post
Share on other sites
Phil64

Phil64

Posted
  • Author
Posted

SUCCESS!

Finally found the solution got to love Google, here is the solution from PCHELFORUM:

Re: Malwarebytes error

I got Malwarebytes to update , ran it and found no infection.

I was able to update it by opening CA Antivirus

a) Go to Keep My Computer Safe

:) Under setting you will see Program Access

c) Scoll down to Advanced program access permission , edit

d) It has the following:

Program Inbound outbound Edit Remove

Name ask me allow

allow

prevent

Under program you look for the program that you want to access, under inbound there are three (3) options a) ask me :) allow c) prevent

e)After finding your program you click allow then under edit I checked everything that there.

f) click save.

There were 5 programs I gave full access to under the "Edit" setting - simply clicking Allow inbound and Outbound did not work, you have to hit "Edit"

MBAM-Clean.exe

MBAM-Setup-1.5.1:1100.exe

MBAM-setup.exe

MBAM.exe

MBAMgui.exe

Not sure which of the 5 were needed but it works now and I off to scan with my updated MBAM.

Thanks again,

PS this was for Computer Associates Internet Security Suite 2010

Link to post
Share on other sites
Phil64

Phil64

Posted
  • Author
Posted

Hey LD,

I am back. Not sure what's going on now. Everything seems to be back to normal, however now that I have been able to update MBAM, I ran 2 scans and both times seperate infections were found. Here are the logs:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5508

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18999

1/12/2011 9:48:46 PM

mbam-log-2011-01-12 (21-48-46).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 466750

Time elapsed: 1 hour(s), 29 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Phil\local settings\application data\syssvc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5516

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18999

1/14/2011 6:02:25 AM

mbam-log-2011-01-14 (06-02-25).txt

Scan type: Full scan (C:\|)

Objects scanned: 437645

Time elapsed: 1 hour(s), 25 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Phil\downloads\downloads\tl_weddingpack001.exe (Trojan.WinLock) -> Quarantined and deleted successfully.

It says that the files were deleted successfully, however I now ran a scan with my CA Antivirus and it showed the following infections with only a "Detected" note, these were not quarantined or deleted:

BiFrost

WinAntiVirus Pro 2006

WinSpyware Protect

I believe they look like registry locations, but I am not sure, it was early and I had to go to work. If you need the details I will post tonight when I get home. Please let me know what I should do, or if I should post to a new thread. I just reinstalled SpyBot S&D and am running the scan while I am at work. I also disconected the network cable to be safe.

Any help would be greatly appreciated.

Phil

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.