Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Thinkpoint and Microsoft Security Essentials Viruses - Next steps?


  • Please log in to reply
1 reply to this topic

#1 Raprider

Raprider

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ, USA, Earth
  • Local time:05:43 AM

Posted 31 October 2010 - 11:20 AM

Hi. I am new to this forum, but have used your tutorial recently to remove the Microsoft Security Essentials virus from my desktop machine.

I am running XP SP3 on an older Dell desktop.
About 2 weeks back I had the MSE virus on "my" profile, and followed the tutorial, used RKill and MBAM to successfully remove the virus.
I then ran full scans using McAfee AV and Spybot Search & Destroy, which removed some additional items.
Things are mostly working fine, however, I seem to be getting some errors popping up, such as:
1. Generic Host Process for Win32 Services has encountered a problem and needs to close.
2. IExplore.exe Application Error - The instruction at "0x00000000" referenced memory at "0x00000000". The instruction could not be "read". Click on OK to terminate the program.

Not sure what these mean, or why it is happening. If I click on the OK for the iexplore error, not much happens.
On occasion, the Taskbar turns white. Really weird.

Today I am dealing with the Thinkpoint virus on "wife" profile, which appeared a couple days ago, and MBAM is just finished running after 2 hours as I'm writing this on my laptop. It found 11 items, which I deleted. After the reboot, Thinkpoint did not appear and the "wife" desktop loads normally. I launched IE, and it opened fine, but then a new tab opened up with the url http://trkit.s3.amazonaws.com/regcure/index3.html and a popup box appears that says "Errors have been found in your operating system registry! Click to download free registry cleaner software."
I'm pretty sure this is more malware.
Should I be running MBAM again???

Some other I have questions are:
Does running MBAM work on BOTH profiles?
Should I be re-running it again on "my" profile later on?
Should I be running either/both McAfee and SS&D after? Or should I be running something else like Secunia?
Is there a benefit to running a System Restore back to the beginning of the month (pre-infection) at some point, and if so, at what point?

I guess I'm trying to figure out what to do now.
Thanks in advance!

Rap

Edited by Raprider, 31 October 2010 - 11:27 AM.


BC AdBot (Login to Remove)

 


#2 Raprider

Raprider
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ, USA, Earth
  • Local time:05:43 AM

Posted 31 October 2010 - 11:54 AM

I am posting the MBAM log from today:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5006

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/31/2010 11:50:42 AM
mbam-log-2010-10-31 (11-50-42).txt

Scan type: Full scan (C:\|)
Objects scanned: 293924
Time elapsed: 2 hour(s), 0 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\JBP\Application Data\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\JBP\Local Settings\Temp\pdfupd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\JBP\Local Settings\Temporary Internet Files\Content.IE5\6JWPPS77\ymiodtgtxs[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3004\A0502149.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3004\A0502150.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Edited by Raprider, 31 October 2010 - 07:37 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users