Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Smart Security - Unregistred Version


  • This topic is locked This topic is locked
20 replies to this topic

#1 jmrich56

jmrich56

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 05 April 2010 - 10:40 PM

I have searched this forum and several others on this site looking for a virus / malware infection identical to the one on my laptop but have found none. The pop ups on my screen have "XP Smart Security - Unregistred Version" at the top of the pop ups except for one, "Windows Security Center", which is phony because in that window is the option to manage security settings for : XP Smart Security. Dr. Web Cure it, Malwarebytes Ant-Malware, and CCleaner will remove the pop ups until I pick and lauch a web address from a Google or Bing search. The address in the browser changes and is re-directed to a different website where I suspect my laptop is re-infected. If this is another version of "XP Smart Security 2010" then I will review the protocol for removing and maybe attempt myself. Thank you.

BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:12:46 PM

Posted 06 April 2010 - 09:42 AM

Please post the log from Malwarebytes.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#3 jmrich56

jmrich56
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 06 April 2010 - 11:54 PM

Sorry for the delay - work work work! Laptop is not co-operating tonight. Had to use "safe mode" before Malwarebytes would start. The "Troubleshooting Malwarebytes Anti-Malware" post by Grinler did not bypass the virus issue - tried all of the suggestions. I have 2 logs below - 1st. is MW log from 4/4 in normal mode - this log came from a scan after Dr. Web's Cure it and before CCleaner. As posted previous, the virus / malware re-appeared after I selected a web site from a search engine results page and double-clicked. I watched the address in the browser window change to a re-directed website. 2nd. log is in "safe mode"Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3951

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

4/4/2010 9:26:57 AM
mbam-log-2010-04-04 (09-26-57).txt

Scan type: Full scan (C:\|)
Objects scanned: 224523
Time elapsed: 57 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\us.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

-------------------Next log is tonights' in "safe mode"---------------------------------------------

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3951

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.11

4/6/2010 9:19:02 PM
mbam-log-2010-04-06 (21-19-02).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 228310
Time elapsed: 39 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\TOM\Local Settings\Application Data\vma.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{D7EECCCB-504A-4B73-84FE-DF9426EF622E}\RP463\A0075407.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\TOM\Local Settings\Application Data\vma.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.


Thank for taking the time to review this.

#4 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:12:46 PM

Posted 07 April 2010 - 06:24 AM

Ok. Let's dig a little deeper and see what we can find.

SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
  • First
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Please perform a scan with Eset Onlinescan (NOD32).
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
  • You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use
  • Now click Start.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.
  • A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
  • Answer Yes to install and download the ActiveX controls that allows the scan to run.
  • Click Start.(the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan to start the online scan. (this could take some time to complete)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.
  • Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad.
  • Copy and paste the log results in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn\ them back on after you are finished

Please post the logs from SAS and ESET when complete.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#5 jmrich56

jmrich56
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 07 April 2010 - 11:53 PM

techextreme, as you noted in post above this is going to take some time. Will post results asap. thanks

#6 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:12:46 PM

Posted 08 April 2010 - 07:33 AM

I'll be watching for it.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#7 jmrich56

jmrich56
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 08 April 2010 - 10:12 AM

Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Techextreme, the note above was in your previous post. Does this include "administrator"? I have completed first user SAS scan and will post below but after retrieving log and re-booting in "safe mode" and double-clicking "SUPERAntispyware" icon, a window popped up asking what program I wanted to use to open file with. And then came work thirty. I know this would progress faster if I brought the laptop to work but my fear of infecting the company server inhibits me from wanting to plug in to the system for the next step - ESET scan. That said, I was willing to plug the flash stick into my work computer to paste the 1st. SAS scan. I scanned the file with Norton, at home on P.C., and then re-scanned with Symantec Endpoint, here at work, before transfer, but I am not virus savvy enough to know what the do's and don'ts are. If you need an "admin" scan let me know and I will try aSUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/08/2010 at 03:12 AM

Application Version : 4.35.1002

Core Rules Database Version : 4780
Trace Rules Database Version: 2592

Scan type : Complete Scan
Total Scan Time : 06:39:04

Memory items scanned : 232
Memory threats detected : 0
Registry items scanned : 5762
Registry threats detected : 0
File items scanned : 120979
File threats detected : 76

Adware.Tracking Cookie
C:\Documents and Settings\TOM\Cookies\system@media6degrees[1].txt
C:\Documents and Settings\TOM\Cookies\system@revsci[1].txt
C:\Documents and Settings\TOM\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\TOM\Cookies\system@apmebf[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@247realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@a1.interclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adecn[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.addynamix[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.ihispano[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.mefeedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.vidsense[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adtech[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@azjmp[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@burstnet[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@cdn4.specificclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@click.fastpartner[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz10.91469.blueseek[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz3.91469.blueseek[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz4.91469.blueseek[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz5.91469.blueseek[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz6.91469.blueseek[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickpayz7.91469.blueseek[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@clickthrough.kanoodle[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@eas.apm.emediate[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ehg-players.hitbox[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@exoclick.40531.blueseek[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@exoclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@google.lucidmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@hitbox[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@mediatraffic[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@revenue[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ru4[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@statcounter[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@theclickcheck[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@trackingvalue[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@unrulymedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.adbrite[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.burstnet[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@www.icityfind[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ybdev.112.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@zanox[1].txt

Trojan.Agent/Gen
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\INL4OK36\N002106201R0409XC56A6174Y8EDD32ADZ0100F07030DP000201080[1]
gain tonight before creating the ESET log. Thanks for the help.

#8 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:12:46 PM

Posted 08 April 2010 - 12:20 PM

the note above was in your previous post. Does this include "administrator"?


Yes, you are correct. But from what I see in your logs you're looking pretty good.

I can certainly understand not wanting to infect your network and being an admin myself, I can appreciate your apprehensiveness for doing just that.

After running the ESET scan, please also run TFC.

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link

* Save any unsaved work. TFC will close ALL open programs including your browser!
* Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
* Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
* TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
* Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.


I'd also like you to replace your HOSTS file as it's possible one of the infections you had may have inserted some bad lines in it.

I would like you to go here and read and follow the instructions on how to update/replace your "HOSTS" file.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#9 jmrich56

jmrich56
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 09 April 2010 - 12:50 AM

Good morning techextreme, warm and peaceful here in So.Cal. this evening and the ground isn't shaking! Some success with acquiring logs - Eset log below, but I still could not get the SAS log for "admin" in safe mode. Same window pops up asking what program I want to open/run S.A.S. with. After getting the Eset log I proceeded to next steps - downloaded TFC and ran it, and updated/replaced "Host" files, then tried "safe mode - admin" again but no success in opening/running. Below is Eset log. Till tomorrow. Thanks. ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=bf18b5daec1b60418f1cb4a21bce95b5
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-09 03:40:23
# local_time=2010-04-08 08:40:24 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 16764926 40 17 272914 349865166 0 0
# compatibility_mode=4352 16777215 100 0 0 0 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=122499
# found=3
# cleaned=3
# scan_time=7533
C:\Documents and Settings\TOM\Local Settings\Temporary Internet Files\Content.IE5\RYZG9KZY\data[1].html a variant of Win32/Kryptik.DMR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Temp\3654343518.exe a variant of Win32/Kryptik.DML trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\Temp\windirpath.exe a variant of Win32/Kryptik.DMZ trojan (deleted - quarantined) 00000000000000000000000000000000 C

#10 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:12:46 PM

Posted 09 April 2010 - 08:14 AM

Your logs are looking good now. Can you once again run Malwareytes and post a new log so we can check our cleanliness please.

When you try running SAS under the Administrator Account does it give you the "open with" dialog box asking you what you want to open it with?
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#11 jmrich56

jmrich56
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 09 April 2010 - 09:08 AM

That is correct, the "open with" pick box. Will run and post Malwarebytes log tonight. Thanks.

#12 jmrich56

jmrich56
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 09 April 2010 - 09:08 AM

That is correct, the "open with" pick box. Will run and post Malwarebytes log tonight. Thanks.

#13 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:12:46 PM

Posted 09 April 2010 - 09:27 AM

Ok. Let's fix the EXE file Association for your Administrator Account.

Go here to Doug Knox's Windows® XP File Association Fixes

Look for "EXE File Association Fix (Restore default association for EXE files)" in the list. Save the file to the root of your drive ( C:\ ) and Unzip it there.

Reboot your computer in Safe Mode and login with the Administrator Account. Follow the instructions at the top of the Doug Knox Page to import the settings.

Now try running SuperAntiSpyware in Safe Mode as the Administrator.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#14 jmrich56

jmrich56
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 09 April 2010 - 11:34 PM

below is latest Malwarebytes log - I also checked Norton Quarantine and there are 3 viruses there - all named Trojan.FakeAV. Infected file names are MSASCui.exe, av.exe, and ave.exe. All 3 files were in C:\Documents and Settings\TOM\Local Settings\Application. Not sure if that info helps but my bad for not checking "Quarantene" till now. Thought Norton would give some kind of warning - need to check my settings. Also I had an error code after running Malwarebytes - "error code 2 - could not perform operation". Sorry but I may have not stated that ver batem - didn't write it down. Again, my bad - I know every little bit of info helps some. Now the log - will work on your latest directions now. Thanks

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3973

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

4/9/2010 8:15:17 PM
mbam-log-2010-04-09 (20-15-17).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 223020
Time elapsed: 1 hour(s), 30 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{D7EECCCB-504A-4B73-84FE-DF9426EF622E}\RP461\A0074292.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#15 jmrich56

jmrich56
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 10 April 2010 - 01:45 PM

techextreme,
the Malwarebytes' Error Code window reads "{OpenEvent} Failed to perform desired action. Error Code: 2




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users