3 replies to this topic

[Kaisersosay]

Hi,

I see there must have been some widespread malware out in the last 48 hours with all these posts indicating folks can't run malwarebytes or several other programs. Malwarebytes has always worked for me previously, but I must admit this is the nastiest bug I have had to deal with. Some of the things I have tried might work for others. It only partially worked for me (no pop ups for the annoying ransomware fake antivirus programs).


Suggestions culled from the other mssgs here, all tried in safe mode and regular mode:

When malwarebytes stops running after a few seconds -->Rename mbam.exe -->Seems this has worked for a few lucky ones
-Unfortunately the same thing happens with the renamed executable for me and others
-I redownload and change the names before running it the first time and it will still quit out after a few seconds and then won't run again
-Uninstalling/redownloading/reinstalling to different directories gives the same problem


Download process explorer and rename it to winlogon.exe.
-The process explorer works for me, but I find nothing to delete. (I had previously killed processes and deleted files as mentioned under task manager)


Other googled suggestions
-Ran task manager and killed the following processes and removed their files
msa.exe, b.exe, svchast.exe (Meant to look like svchost.exe)

-Ran msconfig
-Disabled AntipyPro_12 from services (not a mispelling, its AntpyPro_12 with no s in it)
-Could NOT KILL tahidazu.dll in startup. I get an error message. I manually deleted the file c:\windows\system32\tahidazu.dll but i get a dialogue box that
the specified module can't be found on the next startup

-Ccleaner
-I thought surely ccleaner startup tool would do the trick but it won't disable or delete detokadafe which is the program associated with the
run32dll.exe "c:\Windows\System32\tahidazu.dll",s
-Ccleaner Registry scan keeps finding the tahidazu registry entry and fixes it but it comes right back
-Manual REGEDIT to delete any instance of detokadafe fails as well as it keeps coming back with (system restore previously turned off)


-Ran services.msc
-AntipyPro_12 is indded disabled and the svchast.exe it points to has been deleted
-Can't turn on windows defender error 5: access is denied


Is there a network mode that lets malwarebytes scan another computers harddrive over a network? I thought of just pulling the hard drive out and plugging it into the working computer but am afraid the bug could spread and it still wouldn't clean out registry errors and the like.


Well, I got one more suggestion I will try tonight. Since windows defender won't run, I will uninstall and reinstall it. I don't hold high hopes because this malware interrupts the installation and/or running of malwarebytes, spybot, mcAfee and windows defender. It didn't seem to interfere with Ad-Aware 2008 but all adaware found the first time were cookies

I guess I could try a windows xp reinstall but I don't think it will take without reformatting as the CD is a few service packs old. I will leave files backing up to an external drive and hope I see a solution on this forum for how to get mbam.exe working when it keeps getting stopped by the bug assuming the simple solutions like renaming, killing processes don't do the trick.

Kai

[Kaisersosay]

Hi,

Man, it is soooooo aggravating to have malwarebytes start cooking for a few seconds then stop and close shop. I then can't run it again unless I copy the backup mbam.exe and rename it and drop in the directory. I am sure its one of these programs stopping it, but can't tell which one. I know the second winlogon.exe is the renamed process explorer launch program. I am suspicious of all those svchost.exe but some of them when deleted force a computer reboot.

I previously had and killed wiawow32.sys (known malware).

Process PID CPU Description Company Name
System Idle Process 0 98.46
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 848 Windows NT Session Manager Microsoft Corporation
csrss.exe 908 Client Server Runtime Process Microsoft Corporation
winlogon.exe 944 Windows NT Logon Application Microsoft Corporation
services.exe 992 1.54 Services and Controller app Microsoft Corporation
ati2evxx.exe 1160 ATI External Event Utility EXE Module ATI Technologies Inc.
svchost.exe 1172 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1312 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1440 Generic Host Process for Win32 Services Microsoft Corporation
incdsrv.exe 1464 incdsrv Nero AG
svchost.exe 1708 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1976 Generic Host Process for Win32 Services Microsoft Corporation
IreIKE.exe 1996 IreIke Service Application SafeNet
aawservice.exe 340 Ad-Aware Service Lavasoft
spoolsv.exe 616 Spooler SubSystem App Microsoft Corporation
svchost.exe 2244 Generic Host Process for Win32 Services Microsoft Corporation
AppleMobileDeviceService.exe 2364 Apple Mobile Device Service Apple Inc.
CTSVCCDA.EXE 2548 Creative Service for CDROM Access Creative Technology Ltd
svchost.exe 2640 Generic Host Process for Win32 Services Microsoft Corporation
IPSecMon.exe 2824 IPSecMon Service Application SafeNet
jqs.exe 2860 Java™ Quick Starter Service Sun Microsystems, Inc.
mcmscsvc.exe 2984 McAfee Services McAfee, Inc.
McNASvc.exe 3068 McAfee Network Agent McAfee, Inc.
McProxy.exe 3148 McAfee Proxy Service Module McAfee, Inc.
Mcshield.exe 3200 On-Access Scanner service McAfee, Inc.
mdm.exe 3256 Machine Debug Manager Microsoft Corporation
svchost.exe 3468 Generic Host Process for Win32 Services Microsoft Corporation
MsPMSPSv.exe 3632 WMDM PMSP Service Microsoft Corporation
alg.exe 3936 Application Layer Gateway Service Microsoft Corporation
mcsysmon.exe 2728 McAfee SystemGuards Service McAfee, Inc.
MpfSrv.exe 2096 McAfee Personal Firewall Service McAfee, Inc.
lsass.exe 1004 LSA Shell (Export Version) Microsoft Corporation
ati2evxx.exe 1528 ATI External Event Utility EXE Module ATI Technologies Inc.
taskmgr.exe 2432 Windows TaskManager Microsoft Corporation
explorer.exe 264 Windows Explorer Microsoft Corporation
CTHELPER.EXE 1600 CtHelper MFC Application Creative Technology Ltd
InCD.exe 1888 InCD Nero AG
mcagent.exe 2016 McAfee Integrated Security Platform McAfee, Inc.
wcescomm.exe 1260 ActiveSync Connection Manager Microsoft Corporation
winlogon.exe 3512 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
CCleaner.exe 452 CCleaner Piriform Ltd
ctfmon.exe 3828 CTF Loader Microsoft Corporation


Kai

[AdvancedSetup]

I apologize for the long delay however the site has been swamped with too many requests and your post appears to have been overlooked in the rush.
If you still require assistance please let us know.

[AdvancedSetup]

Since you appear to no longer be monitoring this post we will assume that you've already addressed the issue and no logner require assistance and we will close the post now.

If however you do still require assistance please send a private message to open the post again.