Nisar

Hi, Malwarebytes is not automatically start up with windows7 and requires administrator capacity. Pls. help to resolve this. Thankx in advance.

Sorry Madam.Onceagain thanks for ur kindly help.

Ok Sir. Thanks for help and advice.

Hi Thanks for ur reply. As i noticed since the installation of malwarebytes on xp i have not noticed any popups, i mostly visit the same sites in 7 and xp. And for the SAS removed files , i will restore them as per ur instruction except those files.

Hi, I checked the same site in windows 7 and xp. In 7 IP block popup is showing and for the same site in xp the popup was not showing.(IP protection on) Second, would you like me to restore all the files removed by SAS.they are all not affected?

First: Pls. clarify me one thing, the files shows as infected was removed by SAS, is this will cause any problem in the future or not. Second: Yes, IP blocking popup doest not do that in XP.

Hi Thanks for ur reply. But the SAS log i posted was scannded on win7 drive only. How it shows the same files and infections. And onemore thing, the popup message of IP blocking is not showing in xp, but the same is showing in win7.

Hi, As per your instruction am posting the developer log scanned today.And also posting the normal MBAM and SAS postings for your reference. After SAS cleaning in safemode there is only one infection still showing in mbam. As per the order below am posting the logs: 1st - Normal MBAM log (scanned 7 from XP boot) 2nd- SAS log scanned in 7 boot 3rd - Developer MBAm log (scanned 7 from XP boot after SAS safemode cleaning from 7) 1st - Normal MBAM log (scanned 7 from XP boot) Malwarebytes' Anti-Malware 1.44 Database version: 3651 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 1/28/2010 9:58:13 PM mbam-log-2010-01-28 (21-58-13).txt Scan type: Full Scan (I:\|) Objects scanned: 150114 Time elapsed: 1 hour(s), 19 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 13 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: I:\Program Files\ESET\ESET NOD32 Antivirus\eguiDmon.dll (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Users\Survesh\STU.exe (Trojan.VkHost) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost\6134df24edeeae61818e573549062c70\ehExtHost.ni.exe (Worm.Waledac) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\adbc1d6ad05b3297a8eb9ecb1e7d910a\Microsoft.PowerShell.ConsoleHost.ni.dll (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\napsnap\07bcfae58139fe159c24eb7d42b9db8f\napsnap.ni.dll (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\ddb4e602ccad9160f05ac400fcacc431\SMSvcHost.ni.exe (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\System.Net\c9dc297cf81f60646ad98a48cf5a9107\System.Net.ni.dll (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\0dcc444a38a9e041f690df4bdee2d3fe\System.Web.Entity.Design.ni.dll (Worm.Waledac) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\ad8a7493b8e2280fc404be082e295478\System.Xml.Linq.ni.dll (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Applicati#\f32ef4182fa8ab253ed5c7456440eb21\Microsoft.ApplicationId.RuleWizard.ni.dll (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\pss\2.exe.Startup (Trojan.VkHost) -> Quarantined and deleted successfully. I:\Windows\System32\appidpolicyconverter.exe (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\System32\en-US\UIRibbon.dll.mui (Trojan.Dropper) -> Quarantined and deleted successfully. 2nd- SAS log scanned in 7 boot SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 01/29/2010 at 00:03 AM Application Version : 4.33.1000 Core Rules Database Version : 4528 Trace Rules Database Version: 2340 Scan type : Quick Scan Total Scan Time : 00:42:22 Memory items scanned : 389 Memory threats detected : 0 Registry items scanned : 575 Registry threats detected : 0 File items scanned : 42642 File threats detected : 21 Trojan.Agent/Gen-Nullo[short] C:\USERS\SURVESH\STU.EXE C:\WINDOWS\ASSEMBLY\GAC_32\MICROSOFT.GROUPPOLICY.ADMTMPLEDITOR.RESOURCES\6.1.0.0_EN_31BF3856AD364E35\MICROSOFT.GROUPPOLICY.ADMTMPLEDITOR.RESOURCES.DLL C:\WINDOWS\ASSEMBLY\GAC_MSIL\WINDOWSFORMSINTEGRATION\3.0.0.0__31BF3856AD364E35\WINDOWSFORMSINTEGRATION.DLL C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\EHEXTHOST\6134DF24EDEEAE61818E573549062C70\EHEXTHOST.NI.EXE C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.APPLICATI#\F32EF4182FA8AB253ED5C7456440EB21\MICROSOFT.APPLICATIONID.RULEWIZARD.NI.DLL C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.POWERSHEL#\ADBC1D6AD05B3297A8EB9ECB1E7D910A\MICROSOFT.POWERSHELL.CONSOLEHOST.NI.DLL C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\NAPSNAP\07BCFAE58139FE159C24EB7D42B9DB8F\NAPSNAP.NI.DLL C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SMSVCHOST\DDB4E602CCAD9160F05AC400FCACC431\SMSVCHOST.NI.EXE C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SRPUXSNAPIN\6223647C99486E95DAC835EF72C23FE7\SRPUXSNAPIN.NI.DLL C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.NET\C9DC297CF81F60646AD98A48CF5A9107\SYSTEM.NET.NI.DLL C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.WEB.ENTITY.D#\0DCC444A38A9E041F690DF4BDEE2D3FE\SYSTEM.WEB.ENTITY.DESIGN.NI.DLL C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\SYSTEM.XML.LINQ\AD8A7493B8E2280FC404BE082E295478\SYSTEM.XML.LINQ.NI.DLL C:\WINDOWS\PSS\2.EXE.STARTUP C:\WINDOWS\SYSTEM32\APPIDPOLICYCONVERTER.EXE C:\WINDOWS\SYSTEM32\EN-US\UIRIBBON.DLL.MUI C:\WINDOWS\WINSXS\MSIL_WINDOWSFORMSINTEGRATION_31BF3856AD364E35_6.1.7600.16385_NONE_28B544D02 FB07E17\WINDOWSFORMSINTEGRATION.DLL C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-APPID_31BF3856AD364E35_6.1.7600.16385_NONE_5722666F137AE177\APPIDPOLICYCONVERTER.EXE C:\WINDOWS\WINSXS\X86_MICROSOFT-WINDOWS-UIRIBBON.RESOURCES_31BF3856AD364E35_6.1.7600.16385_EN-US_CD570AC54B88DB8A\UIRIBBON.DLL.MUI C:\WINDOWS\WINSXS\X86_MICROSOFT.GROUPPOLI..MPLEDITOR.RESOURCES_31BF3856AD364E35_6.1.7600.1638 5_EN-US_8CA9B3FF9756F56C\MICROSOFT.GROUPPOLICY.ADMTMPLEDITOR.RESOURCES.DLL C:\WINDOWS\WINSXS\X86_WPF-WINDOWSFORMSINTEGRATION_31BF3856AD364E35_6.1.7600.16385_NONE_F9F26586DD23A6FC\WINDOWSFORMSINTEGRATION.DLL D:\SYSTEM VOLUME INFORMATION\_RESTORE{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP3\A0000025.EXE 3rd - Developer MBAm log (scanned 7 from XP boot after SAS safemode cleaning from 7) Malwarebytes' Anti-Malware 1.44 Database version: 3670 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 2/1/2010 3:18:51 PM mbam-log-2010-02-01 (15-18-51).txt Scan type: Full Scan (I:\|) Objects scanned: 151051 Time elapsed: 1 hour(s), 17 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: I:\Program Files\ESET\ESET NOD32 Antivirus\eguiDmon.dll (Trojan.Dropper) -> Quarantined and deleted successfully. [b0DD1F7D3FB3C6431512A1BC76CCB92B] Pls. help to resolve this.....

Hi, I am using dual boot system xp and 7. In windows 7 the site blocking popup is coming , but the same was not in the xp. Why this problem?

Hi Malwarebytes' Anti-Malware 1.44 Database version: 3649 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 1/31/2010 12:26:40 PM mbam-log-2010-01-28 (12-26-40).txt Scan type: Full Scan (I:\|) Objects scanned: 150281 Time elapsed: 1 hour(s), 20 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 13 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: I:\Program Files\ESET\ESET NOD32 Antivirus\eguiDmon.dll (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\ddb4e602ccad9160f05ac400fcacc431\SMSvcHost.ni.exe (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\System.Net\c9dc297cf81f60646ad98a48cf5a9107\System.Net.ni.dll (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\adbc1d6ad05b3297a8eb9ecb1e7d910a\Microsoft.PowerShell.ConsoleHost.ni.dll (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\napsnap\07bcfae58139fe159c24eb7d42b9db8f\napsnap.ni.dll (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Applicati#\f32ef4182fa8ab253ed5c7456440eb21\Microsoft.ApplicationId.RuleWizard.ni.dll (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\System32\appidpolicyconverter.exe (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\ad8a7493b8e2280fc404be082e295478\System.Xml.Linq.ni.dll (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\System32\en-US\UIRibbon.dll.mui (Trojan.Dropper) -> Quarantined and deleted successfully. I:\Windows\pss\2.exe.Startup (Trojan.VkHost) -> Quarantined and deleted successfully. I:\Users\Survesh\STU.exe (Trojan.VkHost) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost\6134df24edeeae61818e573549062c70\ehExtHost.ni.exe (Worm.Waledac) -> Quarantined and deleted successfully. I:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\0dcc444a38a9e041f690df4bdee2d3fe\System.Web.Entity.Design.ni.dll (Worm.Waledac) -> Quarantined and deleted successfully.

HI I used superantispyware and scan the 7drive and it also showed the same result. As per the SAS instruction i scaned the same from safemode and it cleaned all those infected files. Now the MBAM is shows clean log when i scan the 7 from windows xp.

It shows the same result. Pls. tell me that the viruses found are real viruses or false positives.

Hi, From which partion i have to run the .exe, xp or 7.

Hi, I currently have xp and 7 installed in a dual boot enviroment. I have Malwarebytes on both. When scanning from windows 7 no infections are found, but when i scan from within xp infected files are being found on the partition on which windows 7 is installed. The files found are the following: Files Infected: C:\Program Files\EASEUS\EASEUS Partition Master 4.1.1 Home Edition\bin\growisofs.exe (Trojan.Dropper) -> No action taken. C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsFormsIntegration.dll (Trojan.Dropper) -> No action taken. C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll (Trojan.Dropper) -> No action taken. C:\Windows\assembly\GAC_MSIL\WindowsFormsIntegration\3.0.0.0__31bf3856ad364e35\WindowsFormsIntegration.dll (Trojan.Dropper) -> No action taken. C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost\6134df24edeeae61818e573549062c70\ehExtHost.ni.exe (Worm.Waledac) -> No action taken. C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\adbc1d6ad05b3297a8eb9ecb1e7d910a\Microsoft.PowerShell.ConsoleHost.ni.dll (Trojan.Dropper) -> No action taken. C:\Windows\assembly\NativeImages_v2.0.50727_32\napsnap\07bcfae58139fe159c24eb7d42b9db8f\napsnap.ni.dll (Trojan.Dropper) -> No action taken. C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\ddb4e602ccad9160f05ac400fcacc431\SMSvcHost.ni.exe (Trojan.Dropper) -> No action taken. C:\Windows\assembly\NativeImages_v2.0.50727_32\SrpUxSnapIn\6223647c99486e95dac835ef72c23fe7\SrpUxSnapIn.ni.dll (Trojan.Dropper) -> No action taken. C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Net\c9dc297cf81f60646ad98a48cf5a9107\System.Net.ni.dll (Trojan.Dropper) -> No action taken. C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\0dcc444a38a9e041f690df4bdee2d3fe\System.Web.Entity.Design.ni.dll (Worm.Waledac) -> No action taken. C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\ad8a7493b8e2280fc404be082e295478\System.Xml.Linq.ni.dll (Trojan.Dropper) -> No action taken. C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Applicati#\f32ef4182fa8ab253ed5c7456440eb21\Microsoft.ApplicationId.RuleWizard.ni.dll (Trojan.Dropper) -> No action taken. C:\Windows\System32\appidpolicyconverter.exe (Trojan.Dropper) -> No action taken. C:\Windows\System32\en-US\UIRibbon.dll.mui (Trojan.Dropper) -> No action taken. Could anyone advise on why this is happening and any action i should take, all help will be really appreciated.