exile360

Yup, you are correct, MBAM does indeed files/folders based on their names, it's part of it's detection algorithm and heuristics, however, whenever this occurs and it flags a file or folder related to a legitimate program the developers create a whitelist rule for it once someone reports it.

Greetings MWare, and welcome. Please refer to this post and see if it helps: http://www.malwarebytes.org/forums/index.p...ost&p=41192 If not, then please read the instructions here (I know you won't be able to perform all of the steps, but just do the ones you can): http://www.malwarebytes.org/forums/index.php?showtopic=2936 and post your logs in a new topic here: http://www.malwarebytes.org/forums/index.php?showforum=7 Please be sure not to install any software or use any removal/scanning tools exept those that you are instructed to by the expert who will be assisting you as doing so can make their job much more difficult. I hope I was helpful. Good luck and safe surfing.

Greetings fender, you might try the Microsoft Diagnostic and Recovery Toolset (30 day trial) which can be downloaded here: http://www.microsoft.com/downloads/details...;displaylang=en Install it on a working XP computer and burn the ISO then boot the infected computer from the ISO and see if you can use the System Restore function to get it to boot again. Once you've done that please read the instructions here, but this time just save the log from MBAM and don't remove the infections yet: http://www.malwarebytes.org/forums/index.php?showtopic=2936 and post your logs in a new topic here: http://www.malwarebytes.org/forums/index.php?showforum=7 When you post your topic in that forum explain why you didn't remove what MBAM found and paste a link to this topic in your post. Please be sure not to install any software or use any removal/scanning tools exept those that you are instructed to by the expert who will be assisting you as doing so can make their job much more difficult. I hope I was helpful. Good luck and safe surfing.

Greetings, and welcome warman. The following instructions assume you have a clean computer to work from. Create a folder on the desktop of your clean computer and call it "copy me to desktop" without the quotes. Next, please download Malwarebytes' Anti-Malware from here: http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html Save the setup file in the folder you created previously. Install the program on the clean computer by double clicking it and run Malwarebytes' and update the definitions once installation completes. Open notepad and copy the following text into it exactly as written then save the file as prep.bat (make sure you select the drop down box when saving the file that says "Save as type" and select "All Files": copy "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref" "%cd%" ren "%cd%\mbam-setup.exe" 12setup.exeNow double click the prep.bat file you just created, the setup file should now be renamed and you should now have a file called rules.ref in the folder with it. Now, as before, create another batch file called install.bat and save it in the same folder: copy rules.ref "%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware" ren "%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mbam.exe" mscan.exe "%systemdrive%\Program Files\Malwarebytes' Anti-Malware\mscan.exe" /quickscanDon't execute the second batch file you just created yet, we'll be using it later. Now, copy the folder you created containing the setup file, the rules.ref file and the 2 batch files to a flash drive or writable cd and copy the folder to the desktop of the infected computer Once it's there, run 12setup.exe and after the installation is complete, double click on the second batch file you made called install.bat. Malwarebytes' should now run and scan your computer for infections. Once the scan completes, remove any infections it finds and reboot if necessary. Once that's done please read the instructions here: http://www.malwarebytes.org/forums/index.php?showtopic=2936 and post your logs in a new topic here: http://www.malwarebytes.org/forums/index.php?showforum=7 Please be sure not to install any software or use any removal/scanning tools exept those that you are instructed to by the expert who will be assisting you as doing so can make their job much more difficult. I hope I was helpful. Good luck and safe surfing.

Yeah, and there's definetely more than a few variants out there for this one (probably packaged with different trojans and/or rootkits) judging by the comments to that article (good read by the way, very thorough on the exact files and reg entries related to the infection).

You could potentially just scan the Windows folder and Program Files folder if scanning a slave drive, but doing so instead of scanning a drive that's active means you miss anything that would normally be loaded into memory as well as the registry, which are key points MBAM uses to detect active infections on a system. I can understand slaving a drive to scan if you absolutely can't boot, but otherwise most tools work much better on a system that's booted, especially MBAM.

Yup, +1 to that because just as malware only uses certain file extensions, it also only hides in certain places (when active) and that's where the quick scan is designed to look. It typically takes between 1-5 mins. to do a quick scan which to me is completely reasonable, especially considering how effective it is.

Greetings Angelo PC, and welcome to Malwarebytes'. Most likely you have a new variant that MBAM doesn't completely remove (yet). The rogues these days are not only becoming more tenacious, but they are being modified (some daily) to avoid detection, and many have begun to target MBAM specifically (along with a few other products) because of what they've been able to do to rogues in the past. If you should come across this one again or are able to recall the url that it came from, please post the info so the developers can get ahold of some samples to get a handle on completely getting rid of it. Thanks for visiting, good luck and safe surfing.

Greetings mikispiki, and no, as far as I'm concerned, the only stupid question is the one that goes unasked. As far as the database download goes, no it doesn't contain the program, just the definitions (and usually a bit behind the most up to date definitions).

When it fails, it probably has to do with which mirror it selects (SecurityWonks has been having issues, and last week Malwarebytes.org had issues as well), but in the next version 1.32 you will be able to select the default mirror for updates which should help a lot.

Yeah, I'm no expert either (and not considered one here cuz I'm not that comfortable with the logs yet), but I have worked as a professional PC tech at some big box retailers and had to figure out ways to get rid of some nasty stuff before great tools like MBAM existed (and even if they did, I wasn't permitted to use them due to EULA's which I refuse to violate and I would have been fired for doing so anyway). Now I have an easy job that isn't computer related, so in my spare time at home and at work I've continued learning about PC security, tweaking, malware etc. because it's always fascinated me, which is why I became a tech in the first place. Now I'm looking into joining a HJT school (probably one of the ones mentioned by TeMerc) to advance my knowlege further and start working logs here on the MBAM forum.

I just found these 2 threads: http://forum.hijackthis.de/showthread.php?p=246781 http://www.malwarebytes.org/forums/index.php?showtopic=8614 I would just wait and let the expert in our forum help you out (seeing as the thread in the other forum is closed), it looks like they're waiting for some logs to help you remove this.

Those drivers don't look like infections, and guessing by the drivers they are, there are probably resource conflicts between them and that's the reason for the exclamation mark. It might not be a rootkit, it could just be a trojan, I remember back in the day when Vundo and Zlob where monsters to get rid of that they would display similar tactics guarding their registry keys without the use of a rootkit and the only way to get rid of them would be to remove the file first, and then the keys in the registry (for some infections that order is reversed, of course). I was a professional PC tech back then, and there were no tools like MBAM that I could use to get rid of them, I had to do it all the old fashioned way and that usually meant slaving the drive to another PC to remove the files or using, as I said before, either a Bart's disc or MS D.a.R.T. to do it with the system offline.

Not sure, but if the issue is deleting a key related to malware then you may be taking the wrong approach as it could be protecting it's own keys. You could of course try RegAssassin: http://www.malwarebytes.org/regassassin.php but it's only useful if you're trying to delete a key, not modify it. But even then, if it's some sort of rootkit or trojan using a kernel mode driver, then I doubt anything besides Bart's or MS D.a.R.T. could get rid of it, and it may then just regenerate the key(s).

Here's a quote from one of the MSDN guys: Reset the entire registry permissions to defaults Here is the detailed instruction on resetting the permissions for the whole registry. This was posted by Ken Zhao of Microsoft. 1. Download and install SubInACL 2. Create a file named reset.cmd in C:\Program Files\Windows Resource Kits\Tools folder. 3. Edit the reset.cmd file with the following content. subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f subinacl /subdirectories %SystemDrive% /grant=administrators=f subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f subinacl /subdirectories %SystemDrive% /grant=system=f 4. Enter into CMD prompt. 5. Enter the following commands one at a time and click Enter. cdcd "C:\Program Files\Windows Resource Kits\Tools" reset.cmd 6. After a few minutes by processing subinacl, the permission will be reset.

Well, here's what my reset.txt file looks like: subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f subinacl /subdirectories %SystemDrive% /grant=administrators=f subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f subinacl /subdirectories %SystemDrive% /grant=system=f

Yes, it works in a similar way, except Dial-a-fix actually uses secedit, not subinacl to do it's work with permissions. Check this article if you want more info on using subinacl: http://blogs.msdn.com/astebner/archive/200...ermissions.aspx

Honestly, I usually just use Lunarsoft's Dial-a-fix (doesn't work on Vista though). Other than that, I think I have an .inf that you right click and install to allow access to regedit (if that's the problem). edit: was just going through my toolkit and realized I forgot to mention subinacl, it's a wonderful little tool from MS (I just haven't had to use it in quite some time).

Hello suadnovic, to answer your questions regarding safe mode: 1: generally the only reason to run MBAM in safe mode is if it won't run in normal mode 2: running MBAM in safe mode doesn't allow it to load all the drivers it needs to remove difficult malware like rootkits and many trojans, safe mode also prevents a lot of malware from running which actually decreases MBAM's ability to detect it because MBAM is designed to look for active infections. I hope I've sufficiently answered your questions, good luck and safe surfing.

I'm sorry to hear the Avira disc didn't do anything to help, I was really hoping it would. Considering how things are going it isn't looking too good. I have one last thing for you to try. Please download the Diagnostic and Recovery Toolset 30 day trial from here: http://www.microsoft.com/downloads/details...;displaylang=en Install it on a working computer running Windows XP (won't work on Vista) and follow the steps to create the ISO and burn it to a disc as you did with Avira. Boot from it with your infected PC and when it asks what installation to attach to, select your Windows XP (you'll see what I mean when you run it). Now, please use the File Explorer tool and browse to C:\Windows\System32\Drivers and look for any files that start with the letters TDS and delete them. Once you've done this, reboot and remove the disc from your drive and see if Windows will boot normally now, if not, then please boot from the disc again and try using the System Restore tool to roll back to before the infection occured, then follow the instructions here: http://www.malwarebytes.org/forums/index.php?showtopic=2936 and post your logs in a new topic here: http://www.malwarebytes.org/forums/index.php?showforum=7 so one of the malware removal experts can make sure your system is clean and that there's no nasty leftovers. Please get back to me with any questions and let me know how it goes. I've got my fingers and toes crossed for you. Good luck!

Hello again, I believe what was meant by the proper forum would be here: http://www.malwarebytes.org/forums/index.php?showforum=7 That's where users get assisted by the experts to clean their machines. Just follow the instructions here as closely as possible: http://www.malwarebytes.org/forums/index.php?showtopic=2936 If you are unable to run one or more of the scans in that topic, just skip it and move on to the next one. What Raid meant by acquiring survivors would be grabbing samples from you by the expert who will be helping you of malware that MBAM isn't detecting/removing (the stuff that requires manual removal with the expert's assistance).

Greetings and welcome to the forum. To get you fixed up please read the instructions here: http://www.malwarebytes.org/forums/index.php?showtopic=2936 and post your logs in a new topic here: http://www.malwarebytes.org/forums/index.php?showforum=7 Please be sure not to install any software or use any removal/scanning tools exept those that you are instructed to by the expert who will be assisting you as doing so can make their job much more difficult. I hope I was helpful. Good luck and safe surfing.

Hello again Sharley14, if you can't do what nosirrah suggested, then please try to download the Avira Rescue CD from here: http://dlpro.antivir.com/down/vdf/rescuecd/rescuecd.iso Then open the .iso file with Nero or whatever software you use to burn CD's. If you don't have Nero or a similar application installed, then please download the .exe version of the disc here: http://dl.antivir.de/down/vdf/rescuecd/rescuecd.exe It will allow you to burn it to disc, just run the rescuecd.exe file. Once the disc is burned, boot the infected computer with that disc in the drive. Select option 1 to boot into AntiVir Rescue System. Click on the British flag on the lower left to switch to English Proceed through the settings and be sure to select the option to scan and remove infections.

Greetings steve150, please try renaming the setup file to something random like 1234.exe and see if it will install. If it does, but won't run then navigate to C:\Program Files\Malwarebytes' Anti-Malware and rename mbam.exe to something random as well, then double click it and try to run it. Do a check for updates, then do a quick scan and have it remove what it finds. After you've done this, if there are still any issues present, then please read the instructions here: http://www.malwarebytes.org/forums/index.php?showtopic=2936 and post your logs in a new topic here: http://www.malwarebytes.org/forums/index.php?showforum=7 Please be sure not to install any software or use any removal/scanning tools exept those that you are instructed to by the expert who will be assisting you as doing so can make their job much more difficult. I hope I was helpful. Good luck and safe surfing.

Greetings and welcome to the forum. To get you fixed up please read the instructions here: http://www.malwarebytes.org/forums/index.php?showtopic=2936 and post your logs in a new topic here: http://www.malwarebytes.org/forums/index.php?showforum=7 Please be sure not to install any software or use any removal/scanning tools exept those that you are instructed to by the expert who will be assisting you as doing so can make their job much more difficult. I hope I was helpful. Good luck and safe surfing.