6 replies to this topic

[Temmu]

hi,

hp pavillion dv9005us laptop - amd64, nvidia, xpmediacenter. (not mine so can't be too much more specific...)

in normal mode (not safe mode)
i attempt to install malwarebytes from mbam-setup.exe from a cd
taskmanager shows mbam-setup running
then, nothing.

taskmanager shows these that cannot be killed (they respawn)
ehrecvr.exe
dllhost.exe
mcrdsvc.exe

"antivirus pro 2009 - installer" progress bar appears after clicking balloon in system tray "your pc is infected..."
not having this laptop hooked up to the internet, it obviously cannot download its payload.

anyway, 2 goals
1 - primary - get the malware off the laptop
2 - install malwarebytes!

help is appreciated! thanks in advance...

[GT500]

Please rename mbam-setup.exe to something random, such as dkfhdkjfg.exe, and let me know if it will install.

[Temmu]

GT500, on Dec 19 2008, 12:37 PM, said:

Please rename mbam-setup.exe to something random, such as dkfhdkjfg.exe, and let me know if it will install.

yes. it installed.
however, running mbam.exe (or renaming it abcd.exe and running that) does nothing.
taskmanager shows mbam.exe (or abcd.exe) as a process, but nothing shows up onscreen.

ps
taskmanager shows only 1 - 4% cpu and nothing huge in memory usage.

but something those items listed above have a choke-hold on xp.

what's next?

thanks!

[Temmu]

alrighty then...

after o, 10 minutes of waiting, malwarebytes started!
i have initiated a full scan.
i cannot, of course, update as i have no intention of plugging into the internet.

i will post the outcome and if needed, another help request.

thanks again.

[GT500]

There is a downloadable offline database installer available here.

You can also copy an updated rules.ref from another computer that has MBAM installed, and replace the one on the infected computer.

Windows XP:

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

Windows Vista:

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

[Temmu]

thanks, gt500!

copied rules to infested pc.
ran mbam.exe

mbam found:

vundo
fake.beep.sys
fake alert
startmenu hijack
others...

thanks again!

[GT500]

You are welcome.

If you continue to see signs of infection, then please follow these instructions for posting in our Malware Removal - HijackThis Logs forum, and one of our malware removal experts will be happy to give you a hand at making sure your computer is clean.