Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Request on "Remove Security Tool Uninstall Guide)


  • This topic is locked This topic is locked
12 replies to this topic

#1 merlot49

merlot49

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 17 December 2010 - 10:12 PM

Hi All, a request for help on one aspect of your Remove Security Tool Uninstall guide.

I have been following it and have got up to step 13.

I have located the Malwarebytes . exe program and double click on it.

I get an error message. "the set up files are corrupted. Please obtain a new copy of the program."

I have redone Step 12, no luck. Then went back to step 7 and did all steps again with no luck.

Any suggestions gratefully received.

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 PM

Posted 17 December 2010 - 10:20 PM

Hello merlot49 ,

Posted Image

Let's disable the main file manually so you can run some tools. Do you have access to a flash drive?

What I want you to look for is in Application Data (If using XP, otherwise Program Data). There will be a folder, with a file in it of the same "name". This will appear random, but it has a pattern. Look for letters and numbers in this order: lower case, upper case, lower case, upper case, lower case, then 5 random numbers. For example:

Folder -----> pEeHl02508\pEeHl02508.exe <-----file inside

Delete the folder. Now, download the following tool to a flash drive from a different computer, then put it on the infected one and run it.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to merlot.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 merlot49

merlot49
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 17 December 2010 - 11:35 PM

Tea, thanks for your post (and very quick too). The Combofix seems to have fixed the problem.

I have kept log for future refeence in case problem resurfaces.

Thanks again, Craig

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 PM

Posted 17 December 2010 - 11:43 PM

Hi Craig,

Glad it's better.....could you please post the report so I can make absolutely sure all is well? I would hate for something to still be there and get you in a day or so.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 merlot49

merlot49
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 17 December 2010 - 11:46 PM

Here it is Tea - I concede I could not work out how to turn off the Trend Micro scanner so I went ahead anyway - sorry if this adds any confusion.

Having the Malwarebytes working would be a good thing for me in the future as well.

Cheers,




ComboFix 10-12-16.05 - cms 18/12/2010 15:05:45.1.4 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3063.2426 [GMT 11:00]
Running from: E:\ComboFix.exe
AV: Trend Micro Client/Server Security Agent Antivirus *Enabled/Updated* {AE338DEB-D16E-4AD2-A7FD-309311D65F85}
FW: Trend Micro Personal Firewall *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\cms\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\cms\Application Data\Adobe\plugs
c:\documents and settings\cms\Application Data\Adobe\plugs\KB6851875.exe
c:\documents and settings\cms\Application Data\Adobe\plugs\KB6896203.exe
c:\documents and settings\cms\Desktop\System Tool 2011.lnk
c:\documents and settings\cms\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\cms\g2mdlhlpx.exe
c:\documents and settings\cms\Local Settings\Application Data\{5D5E2EF7-A8C6-47DC-AEF2-A9AB14D8DA96}
c:\documents and settings\cms\Local Settings\Application Data\{5D5E2EF7-A8C6-47DC-AEF2-A9AB14D8DA96}\chrome.manifest
c:\documents and settings\cms\Local Settings\Application Data\{5D5E2EF7-A8C6-47DC-AEF2-A9AB14D8DA96}\chrome\content\_cfg.js
c:\documents and settings\cms\Local Settings\Application Data\{5D5E2EF7-A8C6-47DC-AEF2-A9AB14D8DA96}\chrome\content\overlay.xul
c:\documents and settings\cms\Local Settings\Application Data\{5D5E2EF7-A8C6-47DC-AEF2-A9AB14D8DA96}\install.rdf
c:\documents and settings\craig\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\craig\g2mdlhlpx.exe
c:\documents and settings\leah\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\leah\g2mdlhlpx.exe
c:\documents and settings\leah\GoToAssistDownloadHelper.exe
c:\windows\ipapoxubace.dll
c:\windows\mclcomse.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-18 to 2010-12-18 )))))))))))))))))))))))))))))))
.

2010-12-18 02:49 . 2010-12-18 02:49 -------- d-----w- c:\documents and settings\cms\Application Data\Malwarebytes
2010-12-18 02:39 . 2010-11-30 00:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-18 02:39 . 2010-12-18 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-18 02:39 . 2010-12-18 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-18 02:39 . 2010-11-30 00:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-18 02:10 . 2010-12-18 02:10 -------- d--h--w- c:\windows\PIF
2010-12-18 01:13 . 2010-12-18 01:13 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-12-18 00:49 . 2010-12-18 00:49 0 ----a-w- c:\windows\Etupozisijihafe.bin
2010-12-16 05:02 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 05:02 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-11-18 18:12 . 2010-11-18 18:12 81920 -c----w- c:\windows\system32\dllcache\isign32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2008-04-25 21:27 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2008-04-25 16:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-25 16:16 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-04-25 16:16 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:27 . 2008-04-25 16:16 1862272 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-17 729088]
"nwiz"="nwiz.exe" [2010-02-20 1657448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-02-20 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-02-20 13803520]
"NVHotkey"="nvHotkey.dll" [2010-02-20 86016]
"FreeFallProtection"="c:\program files\STMicroelectronics\Accelerometer\FF_Protection.exe" [2009-07-22 2384896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2009-05-12 842816]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2010-03-30 959784]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2006-06-19 36864]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2006-06-19 40960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-9 607584]
UltraMon.lnk - c:\windows\Installer\{B49673F8-7AB6-4A14-8213-C8A7BE370010}\IcoUltraMon.ico [2010-8-9 29310]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DPWLN ]
2009-05-12 22:50 162880 ----a-w- c:\program files\DigitalPersona\Bin\DPWLEvHd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2010-08-09 04:54 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\240\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"63718:TCP"= 63718:TCP:Trend Micro Client/Server Security Agent Listener

R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdflt.sys [30/07/2010 2:42 PM 16176]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [30/07/2010 5:23 PM 47104]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [30/07/2010 5:23 PM 48640]
R2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [30/07/2010 5:23 PM 38400]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [04/12/2009 5:39 PM 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [04/12/2009 5:38 PM 36368]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [14/11/2008 3:11 AM 17184]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [30/07/2010 2:42 PM 2320920]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [13/07/2009 2:04 PM 1656112]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Acceler.sys [30/07/2010 2:42 PM 41648]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [30/07/2010 5:22 PM 112512]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [30/07/2010 2:55 PM 134144]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [30/07/2010 2:55 PM 143968]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [30/07/2010 5:23 PM 125696]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [30/07/2010 5:22 PM 58600]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [15/07/2009 6:37 PM 339984]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [09/08/2010 11:43 AM 57424]
R3 tmpfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\Trend Micro\Client Server Security Agent\TmPfw.exe [15/07/2009 6:39 PM 497008]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\Trend Micro\Client Server Security Agent\TmProxy.exe [15/07/2009 6:37 PM 689416]
S2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\Accelerometer\InstallFilterService.exe [30/07/2010 2:42 PM 60928]
S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\240\g2ax_service.exe [09/08/2010 3:54 PM 161144]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [26/04/2008 3:16 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-12-17 c:\windows\Tasks\User_Feed_Synchronization-{4FB66BC2-26ED-4F73-99FB-61BDBC346184}.job
- c:\windows\system32\msfeedssync.exe [2009-03-07 18:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.abc.net.au/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {9BBB3919-F518-4D06-8209-299FC243FC44} - hxxps://192.168.1.10:4343/SMB/console/html/root/AtxEnc.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uyifereweri - c:\windows\mclcomse.dll
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
HKLM-Run-Mcaresanu - c:\windows\ipapoxubace.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-18 15:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1468)
c:\windows\system32\WININET.dll
c:\program files\DigitalPersona\Bin\DPWLEvHd.dll
c:\program files\Citrix\GoToAssist Express Customer\240\g2ax_winlogon.dll
c:\windows\system32\DPFPApi.DLL
c:\windows\system32\DPCLBACK.dll
c:\program files\DigitalPersona\Bin\DpoSet.dll

- - - - - - - > 'lsass.exe'(1528)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3684)
c:\windows\system32\WININET.dll
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
c:\windows\system32\btmmhook.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\program files\DigitalPersona\Bin\DpoSet.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\drivers\audio\r266019\wdm\stacsv.exe
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files\Trend Micro\Client Server Security Agent\ntrtscan.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Trend Micro\Client Server Security Agent\tmlisten.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\IDT\WDM\sttray.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\UltraMon\UltraMon.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Trend Micro\BM\TMBMSRV.exe
.
**************************************************************************
.
Completion time: 2010-12-18 15:21:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-18 04:21

Pre-Run: 474,870,841,344 bytes free
Post-Run: 472,203,603,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - C4162C5B38B62F4D43D1971D1090B5AA

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 PM

Posted 18 December 2010 - 12:01 AM

Thank you so much. :thumbup2:

Don't worry about it....Trend isn't as bad as some of the others. :) Have you tried uninstalling, then reinstalling Malwarebytes? If not, then please do and have a quick scan with it. Let me know how you come out and we'll finish up. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 merlot49

merlot49
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 19 December 2010 - 06:38 PM

Hi Tea, I did the scan as per your last post and was ready to post it here but but my internet connection went down and I had to go. Back on deck just now, so here is the log of the Malwarebytes scan from Saturday. Pasted below that is the scan done today - it seems clear.

Thanks for the help. Craig

Objects scanned: 241723
Time elapsed: 44 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\documents and settings\cms\application data\Adobe\plugs\kb6851875.exe.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\mclcomse.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{45b5e8b9-949a-471e-999d-f381da56a2d3}\RP116\A0020465.exe (Rogue.SystemTool) -> Quarantined and deleted successfully.
c:\system volume information\_restore{45b5e8b9-949a-471e-999d-f381da56a2d3}\RP116\A0020485.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\system volume information\_restore{45b5e8b9-949a-471e-999d-f381da56a2d3}\RP116\A0020497.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\cms\Desktop\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully


*********************


Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5347

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/12/2010 10:20:21 AM
mbam-log-2010-12-20 (10-20-21).txt

Scan type: Full scan (C:\|)
Objects scanned: 242067
Time elapsed: 1 hour(s), 0 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 PM

Posted 19 December 2010 - 06:43 PM

Hi Craig :)

Again, not a problem....real life tends to happen huh? :wink:

Yes, that looks good.....those are in ComboFix quarantine and system restore and were not a threat. :thumbup2:

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

Looks like MBAM is behaving now....everything else running all right today? :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 merlot49

merlot49
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 19 December 2010 - 07:16 PM

All good other than the Trend Micro popping up all the time to tell me it is blocking me from going on 2 websites being:

z0g7yail0

pxlaratotor

Still functioning just an annoyance. Cheers

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 PM

Posted 19 December 2010 - 07:20 PM

Hmmm.....I don't really like that. <_<


Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Close all open browsers before using, especially FireFox. <-Important!!!
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Notes: On Vista, "Windows Temp" is disabled. To empty Temp, ATF-Cleaner must be Run As Administrator.
The Prefetch cleaning feature has been disabled for Vista Users. Tabs for applications that are not installed are grayed out.


Please download HostsXpert 4.3
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make ReadOnly?".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

After that, please let me know if it's still happening...and sorry about the edit. My clicker got carried away and hit post instead of notepad. :blink:

Edited by teacup61, 19 December 2010 - 07:22 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 merlot49

merlot49
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 21 December 2010 - 11:28 PM

Hi Tea,

have been trying your procedure for the last couple of days.

ATF Cleaner works fine

HostsXpert keeps coming up with errors.

I get to Restore MS Hosts File and it says "Press OK to Restore Microsofts original Hosts File" - I hit OK.

It says Error: Cannot create file c: WINDOWS\system32\DRIVERS\ETC\hosts"

Reading other posts here I think it is the Trend Micro setting preventing this, but I can't get the combination right to override it for the moment - I did today go to Microsfot Fix It site - it has a restore which I undertook and there is now a Hosts.old file but HostsXpert still not liking it.

Didn't want to trouble you but thought I would post to let you know you were not being ignored - just have a speedhump to get over.

The Trend Micro blocking messages are still happening - Malwarebytes reporting no malware - Trend Micro scan reporting no problems (other than a double click spyware - now deleted.

Will keep trying as it is annoying.Thanks again, Craig

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 PM

Posted 03 January 2011 - 02:21 PM

Hi Craig,

I haven't heard from you in a long while, so I'll be closing the topic tomorrow, unless I get a reply from you. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:59 PM

Posted 10 January 2011 - 12:38 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users