14 replies to this topic

[steve150]

I can't get the Anti-malware to download. I follow the instructions and the setup screen appears and says "finishing installation" with the full green bar but never gets any further.

I've got the Antivirus 360 on the machine and want to try Anti-malware to get it off.

HELP!!

Steve150

[exile360]

Greetings steve150, please try renaming the setup file to something random like 1234.exe and see if it will install. If it does, but won't run then navigate to C:\Program Files\Malwarebytes' Anti-Malware and rename mbam.exe to something random as well, then double click it and try to run it. Do a check for updates, then do a quick scan and have it remove what it finds. After you've done this, if there are still any issues present, then please read the instructions here: http://www.malwareby...?showtopic=2936
and post your logs in a new topic here: http://www.malwareby...php?showforum=7

Please be sure not to install any software or use any removal/scanning tools exept those that you are instructed to by the expert who will be assisting you as doing so can make their job much more difficult.


I hope I was helpful.
Good luck and safe surfing.

[steve150]

Thank you. But I could not find a way to rename the setup file. I click the Download button and go through the process, howerver there is never an opportunity to rename the setup file before download starts. The download takes about 20 minutes or so. The downloaded file does not include a setup file or the mbam.exe file. Could the Antivirus 360 be blocking the download?

Thanks in advance,
Steve

[TeMerc]

steve150, on Dec 20 2008, 10:30 AM, said:

Thank you. But I could not find a way to rename the setup file. I click the Download button and go through the process, howerver there is never an opportunity to rename the setup file before download starts. The download takes about 20 minutes or so. The downloaded file does not include a setup file or the mbam.exe file. Could the Antivirus 360 be blocking the download?

Thanks in advance,
Steve

Hi Steve.

One the file is installed to the desktop, right-click it, select 'rename' from the menu and type in whatever name you want to call it, but be sure you have .exe at the end of it or it won't run at all.

See the screenshot for what I mean

Attached Images

• 

[steve150]

I renamed the desktop icon including .exe however when I click on it nothing happens, except the hourglass shows up for a short while.

There are no .exe files in the Malware programs file.

It looks like it did not fully download. When it downloads, it looks like everything is ok but it does not automatically launch the application as the screen says it will.

I've got McAffe installed and running and AOLs spyware protection. Do I need to turn those off during the download of Malware?

Steve

[GT500]

I suggest uninstalling AOL Spyware Protection. It's not only not helping you at all, but it will get in your way when trying to clear out any infections you may have.

Are you able to run HijackThis? Try saving it on your desktop, renaming it to something random, and then launch it and have it scan and produce a log. Copy and paste that log into a reply here please.

[steve150]

GT500, on Dec 20 2008, 10:14 AM, said:

I suggest uninstalling AOL Spyware Protection. It's not only not helping you at all, but it will get in your way when trying to clear out any infections you may have.

Are you able to run HijackThis? Try saving it on your desktop, renaming it to something random, and then launch it and have it scan and produce a log. Copy and paste that log into a reply here please.

[steve150]

Thanks for your patience with me.

I uninstalled the AOL spyware as you suggested.

The HijackThis log is below.
When I download the Malware I check RUN. Should I be checking Save?

Thanks.

Sorry for the long delay in responding. AV360 locked up everything and it took quite a while to get restarted.

Steve

PS I hope I'm responding correctly. I have trouble finding a button that says Send or something like that.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:43 AM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Common Files\AOL\1158524505\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\A360\av360.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [McafWelcome] C:\Program Files\McAfee.com\Agent\mcwelcom.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1158524505\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [24c37e47] rundll32.exe "C:\WINDOWS\system32\lgmvflro.dll",b
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [90649310788111197325791989421849] C:\Program Files\A360\av360.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: itjfwo.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7435 bytes

[GT500]

steve150 said:

When I download the Malware I check RUN. Should I be checking Save?

Yes, you should be clicking on the 'Save' button. We recommend saving the installer to your desktop for ease of access, since you will need to rename it to something random before you can install.

I'll go ahead and take a look at your HijackThis log. I'll reply with some instructions as soon as possible.

[GT500]

OK, I recommend removing the following entries. You do that by running a HijackThis scan, putting a check mark in the box next to each line that needs to be deleted, and then clicking on the 'Fix' button down below.

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [24c37e47] rundll32.exe "C:\WINDOWS\system32\lgmvflro.dll",b
O4 - HKCU\..\Run: [Power2GoExpress] NA

O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [90649310788111197325791989421849] C:\Program Files\A360\av360.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O20 - AppInit_DLLs: itjfwo.dll

You should be able to install and run MBAM after that to check for more problems. Let me know if you have any trouble with those directions.

[steve150]

No luck yet. I deleted what you suggested except for 020 - AppInit_DLLs: itjfwo.dll because it did not show up on the list when I ran the HijackThis. What did show up was 020 - AppInit_DLLs: itjfwo.dll,C:\WINDOWS\SYSTEM32\kawdwn.dll

But I did not delete that since it was not exactly what you'd listed.

I tried downloading MBAM by clicking SAVE and it put the info in My Documents but did not start anything automatically, and would not do anything when I double clicked on the saved file icon.

So I tried downloading MBAM by clicking on RUN but it got stuck on the "extracting files" screen with the green bar halfway across. It's been that way for about an hour.

I apologize for the problems, I'm not the best computer jockey....


Steve

[TeMerc]

This is going to need a whole lot more work, fixing with HJT will not do anything.

I suggest moving this to the proper forum where it will get the attention it needs.

[Raid]

Hi guys...

Just a friendly note from me..

Please acquire any survivors from the machine if possible that MBAM misses so that we won't miss them again in the future. Thanks!

[steve150]

Raid, on Dec 20 2008, 07:34 PM, said:

Hi guys...

Just a friendly note from me..

Please acquire any survivors from the machine if possible that MBAM misses so that we won't miss them again in the future. Thanks!

Thanks. So what would be the proper forum and how do I get there. And what do you mean by acquiring survivors?

Steve

[exile360]

Hello again, I believe what was meant by the proper forum would be here: http://www.malwareby...php?showforum=7 That's where users get assisted by the experts to clean their machines. Just follow the instructions here as closely as possible: http://www.malwareby...?showtopic=2936 If you are unable to run one or more of the scans in that topic, just skip it and move on to the next one. What Raid meant by acquiring survivors would be grabbing samples from you by the expert who will be helping you of malware that MBAM isn't detecting/removing (the stuff that requires manual removal with the expert's assistance).