Something I haven't seen before

[brimstone1392]

So, for the last couple day, I've been experiencing a problem on my PC running XP. Let me fill you in on the details:

I was browsing (with Firefox) and I saw, without warning, the Sun Microsystems logo pop up. Now I knew this was not of my own doing, so I shut down the processes immediately and ran Malewarebytes and AVG. It didn't work. I did the safemode thing, fully updated my "anti-hell" programs, and ran them ALL again. They worked... to some extent.

They cleared the cause (pvb or pcb or pcvb, depending on how many times I used it in a row,) but left the result: when opening an application (.exe) the file association "open with" dialog box popped up. This happened with shortcuts, actual executables, and anything I tried from the RUN dialog, even through the task manager.

I was able to open firefox, though only through existing stored pages. When searching for this problem, I was only able to get to the links provided by saving the pages on the desktop and clicking them. Anything else resulted in a re-direct or the aforementioned open-with dialog box. I tried everything I could think of, even a here-to-for untried .exe regfix.

After much searching (through my own scans, not the internet. Actually the last helpful post I found from 3 days ago from another experiencing this that told me the problem was still being investigated by the guys at MalwareBytes - hint, hint) I discovered something: The problem kept originating from the "username"/documents portion of XP's documents and settings. That lead me to think that it might be localized to a specific user. And you know what? I was right!

Here's the workaround: boot to safemode, log-in administrator. Run MalwareBytes to get rid of any remaining remnants (also, any other up-to-date AV you have just to be safe,) access account management settings, delete the affected account (choosing to safe personal files if you want,) and create a new one. THAT DID IT FOR ME! I still had to set the preferences to what I like again, and the saved files were in the admin directory, but I was able to restore functionality without a total reinstall (oh what fun!)

I'm posting this on every site/forum I have access to, so hopefully it will help someone else. If you have any info to add...

PLEASE DO!!!!!!!!

Also, I want to add, rKill, countless fixes, and even Spybot S&D (which surprised me) couldn't solve/prevent this. I think it's official, this company's program is the last one left standing... though it still needs ALOT of work!)

[Firefox]

Hello, and Welcome to Malwarebytes

If you think you are infected, here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

You have 3 Options that you can choose from as listed below:

[*]Option 1

[brimstone1392]

Thanks, but I just wanted to bring this to everyone's attention. I still don't know what hit my computer, and given the emails from other forums' users/people who have experienced this I guess not many people at your company are aware. If there's a workaround (like the one I stated) then there must be a full solution. Just thought you (and anyone reading this) should know about it in case they are experiencing the same thing.

And really... when has the block/canned response EVER done anyone (including yourselves) any real good? Now I know I'm just nitpicking here, but isn't it better for both the company and the consumer of your product if you listen to those of us who have problems you haven't considered and try to find the cause/solution on an individual basis BEFORE advertising your services? I know... you get a thousand of these a day, and no one/company can REALLY get "into" each situation as much as they would like, but if I'm right and you haven't come across/solved this problem before, then isn't it worth it to give each of these at least a second glance before you post the canned stuff?

Again, nothing I can't really understand about it; "just saying" is all. The workaround did the trick, so it's not as big of a problem for me as it once was.

WOW... Just realized how far off topic I got. Sorry for that. Whiskey and Pringles is a bad combination, lol... Seriously, DON'T combine the two!

[Firefox]

And really... when has the block/canned response EVER done anyone (including yourselves) any real good? Now I know I'm just nitpicking here, but isn't it better for both the company and the consumer of your product if you listen to those of us who have problems you haven't considered and try to find the cause/solution on an individual basis BEFORE advertising your services? I know... you get a thousand of these a day, and no one/company can REALLY get "into" each situation as much as they would like, but if I'm right and you haven't come across/solved this problem before, then isn't it worth it to give each of these at least a second glance before you post the canned stuff?

I understand what you are saying, and thanks for bringing it up to our attention and your work around. With the help of people like you the folks at Malwarebytes are able to get information they need to come up with a fix.

I know that reading through a canned speech does not always make sense, but to be honest with you it not only helps you, but it will help others. By you providing the required logs and posting them so the experts can review them, they are able to trace the source of the infection and correct it. With this information, the experts pass along what they found on your computer to the developers and then they add it to the database so that with the next update they are able to detect the infection. This way everyone wins.

Don't get me wrong, I am not knocking down your solution, if it works great (as in your case it did), its valuable information, although some folks may not want to take that approach, as they may have a lot of files to save, and user preferences in their profile. They may feel it is too time consuming and would prefer a quicker fix. As I mentioned with your help by posting your logs in the HJT section would help everyone. It is my opinion that canned speeches do work and this is why I use them.

I am glad your computer is back to working order. The cause of your infection could be a rootkit infection, and if that is the case, your problem you had will eventually creep up again because just deleting the profile and creating a new one will most likely not get rid of the rootkit.

If I were you, I would still post in the HJT section and have the experts take a look at my logs to make sure ALL of the infection has been removed.