29 replies to this topic

[Sarge]

infected with "Protection System" and "PC AntiSpyware" and God knows what else. Download and install MBAM and it won't run.

I've been here:

http://www.malwarebytes.org/forums/index.p...amp;#entry35969

there is no TDSSserv.sys


what do I do?




Semper Fi,

Sarge

[Maurice Naggar]

Hello Sarge,

Take a close look at this tip by Fatduck http://www.malwareby...showtopic=17583

Try renaming the mbam setup.exe (if you have not finished setup) or renaming MBAM.exe if you have completed setup.
After the rename, try starting it.
HTH

[Sarge]

Maurice Naggar, on Aug 24 2009, 02:18 PM, said:

Hello Sarge,

Take a close look at this tip by Fatduck http://www.malwareby...showtopic=17583

Try renaming the mbam setup.exe (if you have not finished setup) or renaming MBAM.exe if you have completed setup.
After the rename, try starting it.
HTH

Thanks Maurice. It started to run once I renamed and updated it, then it went away. Now when I go to the icon to try to restart the application, I get a critical stop msg that tells me it can't access the file, I may not have access permission.

[Maniac]

Greetings and Welcome .

If you're having trouble getting Malwarebytes' and other tools to update or run please review the following tutorials and see if they are helpful:

• Total-Security (FakeAlert)
  
• av360 (Fakealert)
  
• CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC/ovfst
  
• SystemSecurity

If you aren't able to use those instructions or there are other issues then please follow the instructions here:
I'm infected - What do I do now?

And post your logs in a new topic here:
Malware Removal - HijackThis Logs

Please be sure not to install any software or use any removal or scanning tools except those that you are
instructed to by the expert who will be assisting you as doing so can make their job much more difficult.

note: if for some reason you are unable to run some or any of the tools in the first link, then skip that step and move on to the next one.
If you can't even run HijackThis, then just post here: Malware Removal - HijackThis Logs describing your issues and an expert will reply with further instructions.

I hope I was helpful. Good luck and safe surfing.

[Sarge]

Maniac, on Aug 24 2009, 02:31 PM, said:

Greetings and Welcome .

If you're having trouble getting Malwarebytes' and other tools to update or run please review the following tutorials and see if they are helpful:

• Total-Security (FakeAlert)
  
• av360 (Fakealert)
  
• CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC/ovfst
  
• SystemSecurity

If you aren't able to use those instructions or there are other issues then please follow the instructions here:
I'm infected - What do I do now?

And post your logs in a new topic here:
Malware Removal - HijackThis Logs

Please be sure not to install any software or use any removal or scanning tools except those that you are
instructed to by the expert who will be assisting you as doing so can make their job much more difficult.

note: if for some reason you are unable to run some or any of the tools in the first link, then skip that step and move on to the next one.
If you can't even run HijackThis, then just post here: Malware Removal - HijackThis Logs describing your issues and an expert will reply with further instructions.

I hope I was helpful. Good luck and safe surfing.

This is just lovely. Now I get no desktop when I boot this thing. Safe mode or normal mode, it boots normally until it's time to show me the desktop, then I get NOTHING. If I try to manually start the explorer with the task manager, it tells me:
"Windows cannot access the specified device, path orr file. You may not have the appropriate permission to access the item."

[ViruzHelp]

Sarge, on Aug 24 2009, 07:50 PM, said:

This is just lovely. Now I get no desktop when I boot this thing. Safe mode or normal mode, it boots normally until it's time to show me the desktop, then I get NOTHING. If I try to manually start the explorer with the task manager, it tells me:
"Windows cannot access the specified device, path orr file. You may not have the appropriate permission to access the item."

Plz try this link it helped me with removing the ANTIvirus2009


Hope all is good
-buchner

Edited by AdvancedSetup, 25 August 2009 - 05:14 AM.
links removed. Pleasse do not post unrequested links. If you need assistance create a post in the HJT fourm.

[Maniac]

Sarge, follow these instructions:
http://www.malwareby...?showtopic=9573

Finally, post all information and logs here in new topic here:
http://www.malwareby...php?showforum=7

[Sarge]

Maniac, on Aug 24 2009, 03:00 PM, said:

Sarge, follow these instructions:
http://www.malwareby...?showtopic=9573

Finally, post all information and logs here in new topic here:
http://www.malwareby...php?showforum=7

Thanks for hangin in there with me fellas, but I have NO DESKTOP......U savvy? Black screen. No explorer. It went away in the middle of me trying some of these things, and now, I've got nothin'. Even in safe mode. The task manager works, and it shows all the running processes, but explorer.exe ain't one of them, and I can't run it manually. I get the error I indicated below.

[Sarge]

Sarge, on Aug 24 2009, 03:23 PM, said:

Thanks for hangin in there with me fellas, but I have NO DESKTOP......U savvy? Black screen. No explorer. It went away in the middle of me trying some of these things, and now, I've got nothin'. Even in safe mode. The task manager works, and it shows all the running processes, but explorer.exe ain't one of them, and I can't run it manually. I get the error I indicated below.

[Maniac]

Avira AntiVir Rescue System
[indent]Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the Avira AntiVir Rescue System from here
  
• Place a blank CD in your burner and double-click on the downloaded file named rescue_system-common-en.exe
  
• The program will automatically burn the CD for you.
  
• Place the burned CD into the affected computer and start the computer from this CD.
  
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  
• Click on the Configuration button.
  
  • Select Scan all files
    
  • Select Try to repair infected files and Rename files, if they cannot be removed
    
  • Select Scan for dialers
    
  • Select Scan for joke programs (Jokes)
    
  • Select Scan for games
    
  • Select Scan for spyware (SPR)
• Click on Virus scanner
  
• Click on Start scanner at the bottom of the screen
  
• Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

• Please see the post here if you're unable to view the entire screen of Avira.
  
• You can also review this one Fixed Rescue CD Resolution Probs with Dell Video
  
• Currently only the German keyboard is supported. Command Line not working English keyboards require work arounds.
  
• Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

[/indent]


Note: Download and burn it from clean computer.

[Sarge]

this happened after I renamed mbam.exe to winlogon.exe in an attempt to get it to run as advised to do. MBAM did start to run, and then quit, and now I have this issue. The taskmanager shows winlogon.exe running.........is that the actual winlogon.exe or the renamed mbam.exe I wonder?

[Sarge]

Sarge, on Aug 24 2009, 03:28 PM, said:

this happened after I renamed mbam.exe to winlogon.exe in an attempt to get it to run as advised to do. MBAM did start to run, and then quit, and now I have this issue. The taskmanager shows winlogon.exe running.........is that the actual winlogon.exe or the renamed mbam.exe I wonder?

I've also tried to rename the aforementioned file back to it's original name from the command prompt, and it tells me access is denied.

[Sarge]

Maniac, on Aug 24 2009, 03:28 PM, said:

Avira AntiVir Rescue System
[indent]Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the Avira AntiVir Rescue System from here
  
• Place a blank CD in your burner and double-click on the downloaded file named rescue_system-common-en.exe
  
• The program will automatically burn the CD for you.
  
• Place the burned CD into the affected computer and start the computer from this CD.
  
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  
• Click on the Configuration button.
  
  • Select Scan all files
    
  • Select Try to repair infected files and Rename files, if they cannot be removed
    
  • Select Scan for dialers
    
  • Select Scan for joke programs (Jokes)
    
  • Select Scan for games
    
  • Select Scan for spyware (SPR)
• Click on Virus scanner
  
• Click on Start scanner at the bottom of the screen
  
• Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

• Please see the post here if you're unable to view the entire screen of Avira.
  
• You can also review this one Fixed Rescue CD Resolution Probs with Dell Video
  
• Currently only the German keyboard is supported. Command Line not working English keyboards require work arounds.
  
• Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

[/indent]


Note: Download and burn it from clean computer.

This computer boots........it just don't give me the desktop.

[Maniac]

I know, so I told you to use another clean computer to download and to burn the cd.

[Sarge]

"The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available."

Ok. doing that now, Just wanted to be sure I was on the same page with you.

tx

[Sarge]

It don't fly. The Avira engine don't recognize the burner drive with the blank cd inserted, but the wizard does.

I can't do a repair install of the OS because it's SP3.............unless I try to slipstream one..........SFC didn't help none either.

[Maurice Naggar]

Sarge,

First remove any CDs or diskettes from this pc (if any are in place).

Let's have you try to reboot/restart but this time select Last Known Good
As the pc is rebooting, right away, tap & Re-Tap the F8 function key
You should see an Advanced Bootup Options list.

Select Last Known Good

Let me know how you did. If it manages to login to normal mode, then just let me know & stay put. Await further input.

[AdvancedSetup]

This should not be worked on in the General forum. Please take this over to the HJT forum.

Thanks.

[Sarge]

Ok, if one of you nice Admins wants to move me over to the right forum, I'll continue there.

Sorry about being in the wrong spot.

[Maurice Naggar]

Hello Sarge,

You're in the right spot for now. When you can generate a diagnostic report is when I would move this.

Can you tell me if you have the Windows XP CD for this system?
Or if the pc has a diskette drive?

Or if you happen to have made backups of this system to CD/DVD or USB external drive?

Also, try these one at a time and provide detail of how far you get.
Force a reboot/restart of pc. As the pc is rebooting, right away, tap & Re-Tap the F8 function key
Select Safe Mode with Networking from the Advanced Bootup Option.

Does that get you to a stable XP? If not, I need to know how far it goes and where it stops. I know you say no desktop.

If no joy, Repeat reboot & F8 .... now select Safe Mode
Any luck there ?

If no joy, Repeat reboot & F8 .... now select Safe Mode with Command prompt
Any luck there? This last one will only just display a basic 2 line display, but you should have a command prompt, quite similar to the old DOS.

If any one of these gets you a decent "login", just keep it there and let me know here.