tr.security

Thanks all, I appreciate all the feedback. @Firefox - sorry for the misunderstanding. Something happened between my brain and my fingers. What I meant to say was: I had previously entered all of the exclusions except for the .dll files (by following what was in the FAQ for other AV setups). I have now (after your post) also added those .dlls to the exclusion list and my screenshot now looks the same as mona7865's (thanks for posting that, mona). @Not Bob and mona7865: do have "Enable Self-Defense" checked? I do not. I do have "Enable Antivirus and antispyware protection" and "Enable Anti-Stealth technology" checked. I have Nod32 v4.2.35, so I'll have to try updating to 4.2.4 and see if that makes any difference. Thanks again. I'll let you know how it goes.

Thanks Firefox. I have updated my AV with those exclusions (I didn't have the .dlls, I had the others). It will likely take a couple of days to try it out with various startups. When you say "exclude" it from the firewall, do you mean add a rule to allow it to pass through? I have a packet filter firewall (Kerio) and currently have two rules: Allow, TCP, out, mbam.exe Allow, TCP, out, mbamervice.exe

Heh. Yeah, I'm just putting off that one until I have these others figured out. You're going to like this: I have Kerio 2.1.5 firewall installed. I know it's old and I've been wondering if it's finally upon me to find a replacement.

I had recently bought 5 MBAM licenses for myself and family PCs after having an XP Antivirus 2010 episode. Two systems have WinXP and ESET NOD32 AV 3 installed and seem to have no problems. Two systems have WinXP and ESET NOD32 AV 4.2 installed and do have problems. One system has Vista and Kaspersky 2009 installed and I have not yet installed MBAM there (because I'm scared to ). On my WinXP Pro SP3 system (NOD32 v4), it now hangs about every 2nd boot. I get as far as the desktop and sysbar shown, with the icon for NOD32. Then I get an hourglass when hovering over the sysbar and everything else is frozen. I have added MBAM's files to NOD32's exclusion list, and have disabled NOD32's "Self-Defense" (which I've seen recommended on the ESET support forum). If I let the system start first, and then start MBAM and "Enable Protection Module" it seems to work with no problems. Should I take this up with MBAM or with ESET? Or should I give up on having the two work together? I don't mind having to start it myself, but I support other (family) computers, and want them to have the protection MBAM provides, but not if they have to start things manually. Any suggestions? Thanks. tr

Yeah, I should get rid of those. I now use PDF X-change Viewer instead of Acrobat, so I just ignored it instead of uninstalling. Thanks for all your help, I really appreciate it. I just needed a good set of eyes to make sure I didn't miss anything. Gah! This malware stuff is infuriating. I think you can close this issue. Thanks again, much appreciated! tr

Apologies. Here's the .zip file. I had missed some private data I wanted to remove.

Okay, THAT took a while. I had some issues with MBAM real-time protection module freezing the system, but found the solution on the forum (due to an Epson print driver of all things). I disabled the MBAM service and ran the F-Secure Online Scanner as directed. Looks like it's no longer ActiveX, it's now Java based. Note: I ran the scan twice, once the "Full Scan" option, then once the "My Scan" option with everything turned on (like archives) -- the "really full" scan. I've attached both logs in a .zip file (it produced HTML reports, not text, so I attached them instead of posting them here, and I was unable to upload the .html files). Both scans found 3 items: 1 a tracking cookie and 2 "virus" files. However, neither MBAM, a-squared or Nod32 triggered on those 2 files in previous scans so I did not clean them, but I did submit them for analysis. Then I ran SecurityCheck.exe and here is the log file: Results of screen317's Security Check version 0.99.3 Windows XP Service Pack 3 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: ESET NOD32 Antivirus Kerio Personal Firewall 2.1.5 a-squared Free 4.5 ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 20 Java 6 Update 2 Java 6 Update 7 Out of date Java installed! Adobe Flash Player 10 Adobe Reader 7.1.0 Out of date Adobe Reader installed! ```````````````````````````````` Process Check: objlist.exe by Laurent Kerio Personal Firewall persfw.exe ```````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) ``````````End of Log```````````` I did *not* run ComboFix as it sounds like you wanted me to do these instead. Let me know if there's anything else I can run (or rerun) for you. Thanks very much. tr

Thanks. I have the computer today and will run the F-Secure scan and the Security Check.

Looks like I just encountered the problem above on a system with an Epson print driver installed: MBAM 1.45 would hang during a full scan. I tried the "net stop spooler" trick above and the scan completed properly. Thanks for the workaround. Interestingly, the system would also hang if I did a full scan with A-squared free (MBAM running with run-time protection enabled) . Before I found this thread, I had closed MBAM from the sysbar icon's right-click menu and had tried again; the scan still hung. I had had to stop the MBAM service manually before I was able to run a full A2 scan successfully. Also interestingly, all this time I had ESET Nod32 4.2 running. I *was* able to run a full Nod32 deep scan without disabling the MBAM service, and without stopping the print spooler.

Thanks. I'll do that when I can get to the computer, likely tomorrow. Can I ask what evidence you see there? I didn't think I saw anything sinister...

Ltangelic: thanks for letting me know, and for the effort. screen317: apologies for opening this post and then delaying; the computer is remote and I can't always get to it now, so replies may be delayed. Below is the contents of dds.txt, and attached is attach.txt. The only editing I did was to remove usernames and the computer's MAC address. Thanks very much. tr ----- DDS (Ver_10-03-17.01) - NTFSx86 Run by [user] at 14:12:20.96 on 11/04/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.998.344 [GMT -6:00] AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\a-squared Free\a2service.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Kerio\Personal Firewall\persfw.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\TELUS_eCare_Lite\eCareTrayApp.exe C:\Program Files\TELUS\eProtect Advisor\TEPA.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Documents and Settings\[user]\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.theglobeandmail.com/globe-investor/ BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll TB: SciFinder Scholar Bar: {4e16a8fb-0521-46d1-aa2c-d0fc7abf6af9} - mscoree.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe" mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe" mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe" mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe" mRun: [TELUS_eCare_Lite_McciTrayApp] c:\program files\telus_ecare_lite\eCareTrayApp.exe mRun: [TEPA.exe] "c:\program files\telus\eprotect advisor\TEPA.exe" /AUTORUN mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe" mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133459270701 DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133459298169 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\[user]\applic~1\mozilla\firefox\profiles\4482k8bz.default\ FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll FF - plugin: c:\program files\mozilla firefox\plugins\npSfAppM.dll FF - plugin: c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\npPDFXCviewNPPlugin.dll FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-2-22 114984] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-2-22 95872] R1 fwdrv;Kerio Personal Firewall Driver;c:\windows\system32\drivers\FWDRV.SYS [2006-11-24 102912] R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2008-3-30 101528] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024] R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-3-21 1858144] R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-2-22 810120] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-2-20 303952] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-2-20 20824] R3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2008-3-30 24876] S3 esihdrv;esihdrv;c:\docume~1\[user2]\locals~1\temp\esihdrv.sys [2010-3-21 107256] S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408] =============== Created Last 30 ================ 2010-04-09 22:28:21 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll 2010-04-09 22:28:21 509448 ----a-w- c:\windows\system32\XAudio2_2.dll 2010-04-09 22:28:17 467984 ----a-w- c:\windows\system32\d3dx10_39.dll 2010-04-09 22:28:17 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll 2010-04-09 22:28:09 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll 2010-04-09 22:27:51 0 d-----w- c:\windows\Logs 2010-04-09 22:18:45 0 d-----w- C:\Riot Games 2010-04-09 21:20:03 0 d-----w- c:\program files\Riot Games 2010-03-27 18:17:33 54156 ---ha-w- c:\windows\QTFont.qfn 2010-03-27 18:17:33 1409 ----a-w- c:\windows\QTFont.for 2010-03-24 13:21:55 0 d-----w- c:\docume~1\[user]\applic~1\Tracker Software 2010-03-24 13:14:54 0 d-----w- c:\program files\Tracker Software 2010-03-21 22:03:49 2177 ----a-w- c:\windows\wini.ini.jic 2010-03-21 19:11:23 0 d-----w- c:\program files\a-squared Free 2010-03-21 14:44:40 0 d--h--w- c:\windows\PIF 2010-03-21 01:30:34 0 d-----w- c:\windows\pss ==================== Find3M ==================== 2010-03-29 21:24:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-29 21:24:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-22 22:51:10 95872 ----a-w- c:\windows\system32\drivers\epfwtdir.sys 2010-02-22 22:50:06 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys 2010-02-22 22:47:20 139192 ----a-w- c:\windows\system32\drivers\eamon.sys 2010-01-12 00:47:26 3833856 ----a-w- c:\windows\system32\cdintf300.dll 2006-12-07 20:04:38 359112 ----a-w- c:\program files\LimeWireWin.exe 2004-10-01 22:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe 2009-01-11 03:09:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011020090111\index.dat ============= FINISH: 14:13:13.25 ===============

Hi Ltangelic, Thanks for getting back to me. I had to return the computer I was working on (and was away last week) but I can still get that information for you. I will get it this week and post the results as instructed. Thanks! tr

Hello, I have been cleaning a system infected with XP Antivirus 2010. I used MBAM to clean it up, but had to make two passes -- for some reason the second pass picked up the "exefile/secfile" registry change that the first scan had missed (I'm pretty sure I didn't update the database in between). So thank you to MBAM and to this forum for the help in cleaning that up. However, now I'm wondering if the system is truly clean, or if I should wipe it and reinstall. I had NOD32 running (which let the trojan through), and after cleaning, I now have MBAM Pro protection running realtime. The person whose computer this is is probably a little uncomfortable trusting it now, so I was wondering if someone could take a look at some logs to give their opinion. Note: An MBAM scan (quick or full) now finds nothing. I was not going to post any logs at this point, before getting some advice and/or direction. Thanks very much. tr

Thank you! I was finally able to try out the latest update and it does indeed no longer flag that file. Much appreciated!

I ran a full scan (with "mbam /developer") and it generated the log file below: Malwarebytes' Anti-Malware 1.44 Database version: 3517 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 10/01/08 9:43:57 AM mbam-log-2010-01-08 (09-43-57).txt Scan type: Full Scan (C:\|D:\|K:\|T:\|U:\|) Objects scanned: 468122 Time elapsed: 1 hour(s), 21 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Peregrine\Local Settings\Temp\gtk20u.exe (Rootkit.Agent) -> Not selected for removal. A-squared Free and SuperAntiSpyware did not flag this file. Is it a false positive? I searched with Google and didn't find many references to it, but I suspect it's from Pidgin which installed GTK+ 2.0. I've attached the file, zipped. Also: I noticed at the end of the scan, MBAM connects to "spike.malwarebytes.org". This must be new with the latest version; what is it doing? Thanks in advance. Excellent product.