Jump to content

1972vet

Experts
  • Content Count

    1,341
  • Joined

  • Last visited

Posts posted by 1972vet


  1. Thanks for the report 1972vet,

    The faulty signature that caused the F/p's has been removed from the database so the current database should no longer be producing these F/p's.

    Please can you confirm that its is fixed.

    I can confirm it is, now, no longer detected. Also I can't help thinking that it's already been suggested long ago, but this might be a good time to ask, just to be sure...and that is:

    I wonder why MBAM doesn't have the capability to scan quarantined files from within the quarantined folder. It's possible, but not available with mbam. In order to check whether or not mbam's signature database update has resolved NOT to flag some legitimate program, a user needs to first restore the file from quarantine, then scan again. I would rather see a "Right-click" context menu option from the quarantined folder so a user can "re-scan" any quarantined file from there without having first to restore the alleged "infected" file.

    Might sound silly to some, but I am certain there are countless folks who use mbam and who may routinely delete whatever is found in the quarantined folder without doing any research or having any instruction(s) to check these things out before they delete them. There is in fact, other protection software out there which will, by default, re-scan anything it finds in the quarantined folder and restore those items...mbam team players might want to consider writing this into the program as a "fully functioning" feature available with a paid license. This option, by the way, has proven to bring in more customers who actually DO want the convenience of a "hands off" approach to their protective software.


  2. Heads up ...

    On bootup this morning, MBAM suddenly decides my video editing tool and browser protection software contain infected uninstaller(s):

    DETECTION D:\Windows\Installer\SandboxieInstall32.exe Trojan.Backdoor.MRX QUARANTINE

    2013/02/15 03:43:04 -0600 DAVE-PC Dave DETECTION D:\Program Files\Avidemux 2.5\uninstall.exe Trojan.Backdoor.MRX QUARANTINE

    2013/02/15 03:43:19 -0600 DAVE-PC Dave DETECTION d:\program files\avidemux 2013/02/15 03:35:45 -0600 DAVE-PC Dave MESSAGE Executing scheduled update: Daily

    2013/02/15 03:35:53 -0600 DAVE-PC Dave MESSAGE Starting protection

    2013/02/15 03:35:53 -0600 DAVE-PC Dave MESSAGE Protection started successfully

    2013/02/15 03:35:53 -0600 DAVE-PC Dave MESSAGE Starting IP protection

    2013/02/15 03:36:15 -0600 DAVE-PC Dave MESSAGE Scheduled update executed successfully: database updated from version v2013.02.14.03 to version v2013.02.15.04

    ...

    2.5\uninstall.exe Trojan.Backdoor.MRX QUARANTINE

    2013/02/15 03:43:20 -0600 DAVE-PC Dave ERROR Quarantine failed: SDKQuarantine failed with error code 2

    2013/02/15 03:43:22 -0600 DAVE-PC Dave DETECTION d:\windows\installer\sandboxieinstall32.exe Trojan.Backdoor.MRX QUARANTINE

    2013/02/15 03:43:22 -0600 DAVE-PC Dave ERROR Quarantine failed: SDKQuarantine failed with error code 2

    2013/02/15 03:44:45 -0600 DAVE-PC Dave DETECTION d:\windows\installer\sandboxieinstall32.exe Trojan.Backdoor.MRX QUARANTINE

    2013/02/15 03:44:45 -0600 DAVE-PC Dave ERROR Quarantine failed: SDKQuarantine failed with error code 2

    2013/02/15 03:44:46 -0600 DAVE-PC Dave DETECTION d:\program files\avidemux 2.5\uninstall.exe Trojan.Backdoor.MRX QUARANTINE

    2013/02/15 03:44:46 -0600 DAVE-PC Dave ERROR Quarantine failed: SDKQuarantine failed with error code 2

    2013/02/15 05:37:18 -0600 DAVE-PC Dave DETECTION d:\program files\avidemux 2.5\uninstall.exe Trojan.Backdoor.MRX QUARANTINE

    2013/02/15 05:37:19 -0600 DAVE-PC Dave ERROR Quarantine failed: SDKQuarantine failed with error code 2

    2013/02/15 05:46:03 -0600 DAVE-PC Dave DETECTION d:\program files\avidemux 2.5\uninstall.exe Trojan.Backdoor.MRX QUARANTINE

    2013/02/15 05:46:04 -0600 DAVE-PC Dave ERROR Quarantine failed: SDKQuarantine failed with error code 2

    2013/02/15 05:48:47 -0600 DAVE-PC Dave DETECTION d:\program files\avidemux 2.5\uninstall.exe Trojan.Backdoor.MRX QUARANTINE

    2013/02/15 05:48:47 -0600 DAVE-PC Dave ERROR Quarantine failed: SDKQuarantine failed with error code 2

    ...so I assume there will be other users concerned about this as I'm sure there are plenty of SandBoxie users. And by the way, this wasn't from a manual or scheduled scan, it was just from having MBAM's real time protection active. Looks too, from the log, that the quarantine failed but those files are indeed quarantined and the associated registry keys are (at present) orphaned.

    For those who may be "CCleaner" users and who routinely clean out orphaned registry keys, if you are a SandBoxie or "Avidemux" user, and have run CCLeaner (or maybe some other reg hacker), those registry keys undoubtedly would have been presented as orphaned and safe to remove. However, if you had done that, your MBAM quarantine folder will only restore the file...not those reg keys so in the unlikely event that we have any users with this type of scenario, those couple pieces of software will need to be reinstalled. Just one more good reason why one should NOT be using such registry "cleaning" programs.


  3. Excellent...very glad to see you've sorted it out for yourself. Good Work!

    This issue appears resolved and the thread is closed to prevent others from posting here.

    Other members who need assistance please start your own topic in a new thread. Thanks!

    The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine.

    Please start a new thread describing your issue and someone will be along to assist you.


  4. Greetings crayneno and Welcome to the Forums,

    Please uninstall these:

    µTorrent

    Java 7 Update 11

    Java™ 7 Update 5 (64-bit)

    uTorrentBar Toolbar

    ...then reboot when finished. When the system comes back up, you can install the latest version of Java Here. Next, please run a manual update to your on board mbam and perform a Full system scan. Post back THOSE results. Thanks!


  5. Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

    Other members who need assistance please start your own topic in a new thread. Thanks!

    The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.


  6. You can delete these now:

    Microsoft Safety Scanner

    DDS (and related logs). Next, we need to uninstall combofix, which will require you to disable your protective program(s) again as before...once you've done so, please click start, then in the "Search programs and files" box, type Run then press the enter key. When the "Run" box opens, copy/paste the following, then press "OK":

    ComboFix /Uninstall

    Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically. Once you've completed this successfully, please be sure to re-enable your on board protective software then reboot the system once more to properly record those changes to the hard disk. Doing so ensures that Windows has the opportunity to record a copy to the hard disk, of the "Last Know Good Configuration that Worked" so that it can be used as a point of reference, if needed in the future.

    As the evidence now shows no malware issues present, and your issue with MBAM freezing during a scan having been cleared, it seems we are left with only the validation issue. So...please fill us in on the result(s) from having worked with Microsoft about this previously. Where did this assist effort end? What was Microsoft's recommended actions for you? Did you do this completely by remote access or were you on the phone with them as well? Was there a ticket number referenced?

    Your answer(s) will clue us in as to how we should proceed next. Thanks!


  7. QUOTE I just wanted to be sure as other posts I have read mentionned this when trying to run ComboFix a second time.

    I see.You should also have read in this forum that following instructions and advice from the various "help" threads is recommended only for the author of that particular thread and that machine only.


    This log actually looks fine now. Are you able to manually update your MSE product?


  8. I'd also like to mention that your claim as indicated by the thread title "Malawarebytes affects windows licensing authentification" doesn't hold water...as the evidence now seems to be related to the combination of utilities you used previously between the tdsskiller scan and your previous usage of the combofix utilities. Those scans seem to be the earliest scans wherein an infection was present that would indeed have tampered with system core files, with the primary suspect being the tdsskiller utility. Combofix may also have been a good suspect but we won't know without the evidence that would be present during those previous scans. The logs from THOSE scans would be most valuable now. Without them, this issue may remain mysterious. As you can see, using those utilities without direction from some trained user can have some dire consequences.


  9. Hi,

    One last thing, do I have to uninstall and reinstall ComboFix before proceeding?

    Luc

    ?

    Why on earth would you think so? Nowhere in the instruction does it say to do that so your question has me puzzled. Regardless, to answer your question...no. Installing combofix as the instruction indicates is sufficient. I'm just curious now as to whether you ran combofix previously either on your own, or under the direction of some other assistant on some other web site. The log you produced from your combofix scan indicated to me that it had been run a total of three times. The fact that the other logs aren't located where they are supposed to be also has me puzzled. The only reason for it that I can think of is that you, or someone with access, had deleted them at some other help session.

    Bottom line is, I just need to see the next combofix log that is produced after you run the cfscript I wrote for you. And, by the way, the tdsskiller log indicated the zeroaccess infection as well. That scan log though, also shows that it was dealt with successfully and the core file that was infected had also been replaced. That very act itself would be considered "tampering" as it relates to the Windows validation issue...likewise with the initial infection. In any case, the infected file found during that scan was removed and replaced with a valid copy found. The issue at present, with the cf scan log, is a different infection entirely. That's why I asked for the other scan logs as it is likely that some needed files were present when those other scans were made. If you cannot locate them, I would like to know the history behind your usage of the combofix utility as the fact is for now...some software may need to be reinstalled...which may well include the operating system itself. We shall see...

    Please post the latest cf log produced from the above instructions. Thanks!


  10. Please post the tdsskiller log from the last time you used it. I'd like to bring to your attention, the use of this program:

    c:\programdata\RegSERVO

    ...as this program is basically a registry cleaner, it would be in your best interest if you were to use the programs built-in "copy" feature to restore any registry entries that you removed using this program. That is, unless you consider yourself an expert.

    Next, please we need to run combofix again, using a script this time...so please disable the on board security products as before, thanks!

    Please open a blank Notepad...Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

    Combofix will run again automatically. Please post back the new log that will be generated along with the other requested logs. Thanks!

    Note:

    Do not mouseclick combofix's window while it's running. That may cause it to stall

    KILLALL::

    RenV::

    c:\program files\Camera Assistant Software for Toshiba\traybar .exe

    c:\program files\ltmoh\Ltmoh .exe

    c:\program files\Synaptics\SynTP\SynTPStart .exe

    c:\program files\TOSHIBA\Utilities\KeNotify .exe

    folder::

    C:\found.000

    c:\users\Luc Duranleau\AppData\Roaming\PC Cleaners


  11. I'm assuming all went as planned as you made no mention of having difficulty other than the need for a reboot (which is quite common by the way). So I would need to see combofix logs numbers 2 and 3. Please navigate to C:\qoobox. Inside that folder you would find the other combfix logs from your previous two scans. They would be numbered combofix2.txt and combofix3.txt...please post them on your next reply. Thanks!


  12. Disable any security program running real time protection. Disabling UAC is not necessary. With WIndows Vista, the recovery console is a misnomer. Recovery options are on the install media and in the case where vendors fail to include installation media with their systems, the recovery options are most likely on another (hidden) partition. This is probably your situation. You can check your owners documents or the Manufacturer's web site to confirm this if there is any doubts or questions.

    edit added:

    By the way, are you still unable to run a full system scan with mbam, in either normal or safe mode? The quick scan is your only option?


  13. Alright, thanks. By the way, whether you use a program or not, updating it is still necessary and if it is one that Secunia indicated was vulnerable, then that's all the more reason to follow through with their recommendation(s). I hope you did...

    I noted earlier that your version of mbam is out of date. Surprised as well that you made no mention of updating from having used either of the update scans I recommended above. Please open MBAM, run a manual update, reboot when it completes, then try running a full system scan again to see if things still freeze. If so, boot into safe mode and try the full scan from there. If it still freezes, just boot back to normal mode and continue below:

    Before I get too far off track with you, I wanted to remind you that if Microsoft had already worked with you to resolve this and they were unable, then I want you to know it should have ended there since this type issue can only be resolved by Microsoft licensing either via telephone, or by remote assistance as you indicated. If they can't resolve it then there's little chance anyone else will either.

    I do have to say though, I had a very similar situation myself with Vista some years ago but my issue was unrelated to any malware tampering. Mine was due to my own hacking of the registry. To resolve it, I simply uninstalled the service pack, restored the registry to the condition it was in before I hacked it, then reinstalled the service pack and the issue resolved.

    ZeroAccess seems to be what started this for you so we need to attack that vector. Let's move on...

    I had noted from evidence in the logs, that you had also tried a variety of other removal tools at some point. Just so there's no mistake, please do nothing other than what is instructed here until we finish...no other scans that is.

    I'd like you to try a free utility for me that might help us remedy this situation:

    Please disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here.

    ...of those, many people overlook the Windows Defender since, for most, there is no icon for it in the system tray. Scroll through those directives above and look for this application specifically, to make certain it is disabled (Microsoft Security Essentials users can disregard the Windows Defender disable instruction since while MSE is installed, Windows Defender is disabled already by default).

    Please download combofix from This Webpage...and read through the instructions there for running the tool.

    ***Important Note***

    Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

    If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.

    The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

    Once installed, a blue screen prompt should appear that reads as follows:

    The Recovery Console was successfully installed.

    When you see that screen, please continue as follows:

    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

    Note:

    Do not mouseclick combofix's window while it's running....that may cause the scan to stall


  14. "LogmeIn is a client used by Microsoft support. I will leave there for now. There are no passwords involved."

    LogMeIn is a piece of remote access software which allows anyone to access your computer...anyone that is, that knows YOUR password. You say "there are no passwords involved" but I challenge you to go back over the installation instructions you used. As a matter or course, the LogMeIn Host software (which is what you have installed) is designed to allow any remote user access to a system on which it is installed as long as THEY know how to log into the account that was set up. So...when you set up this account, are you saying that you set NO PASSWORD? If so, I would probably be able to access your system myself. I still suggest that you uninstall this software. If you choose to work with Microsoft again in the future and they want you to "trust" them by allowing them access to your system, then they can always instruct you to install it again at such time.

    By the way, If Microsoft told you to install this software while they were working with you, then failed to tell you to uninstall it when they finished, then I would have to say they failed to properly guide you using preferable security measures, which doesn't surprise me a bit

    "6) The proxy setup was done by one of my government clients. Completely legitimate and I believe disactivated."

    Please explain this in greater detail. Is that system your own or is this owned by some company for the work you do? Regardless, the proxy server is there and not "disactivated" as you call it.

    "7) At the moment, the authentication problem remains."

    Is this ever present? By that I mean, do you see a message in the lower right corner or your system which says "This copy of Windows is not valid"? Are you unable to download any of the non-critical Windows Updates?


    We need to update much of your software and we also need to make a determination as to which of these are experiencing vulnerabilities. Please download FileHippo's Update Checker. Double-click the FHSetup.exe file to install it. When the install completes, you'll find the Update Checker shortcut on the desk top. Double-click on it and a scan begins with the results showing in your browser. Any software it finds to be out of date, will be presented in your browser. Just click on the download link provided there to download your software updates. Ignore the beta software unless you want that...during the scanner initialization, you can click the settings link, then click the results tab and check the box "Hide beta versions". After clicking the OK button, click the "Retry" link to continue the scan with those settings. Please remember to post back your results.

    Next, we need to install the secunia PSI utility. You can find it Here...just click the green download button on the right. When the download completes, please right-click the PSISetup.exe and select "Run as administrator". Follow the prompts to install it and please leave all default settings as they are. When finished, click to allow the utility to perform a scan of the system. When that scan completes, you will be shown a listing of programs which have been found to contain vulnerabilities...along with this, there will be a "solution" with Secunia's recommendations.

    Please post back THOSE results as well...Next, please download the Microsoft Safety Scanner. Just beneath the Download Now button, please click the "Select your version" link, then select which version applies in your situation.

    Choose "Save File" and save it to your desktop. When the download completes, double-click the executable file and choose to run the program (please "OK" any prompts). Accept the terms and click "Next". Click "Next" again to choose the type of scan. "Quick scan" is selected by default. Please leave this default setting, then click "Next" to begin the scan.

    This scanner works with your antivirus program so disabling it is not necessary. Please do nothing else with your computer while this scan is underway.

    If the scan reports something found and removed, then it's best to follow up with the "Full scan". In either case, when the scan(s) complete click the Finish button to close the program. Please locate the log Here:

    C:\Windows\Debug\msert.log

    ...The log will open as a text file using notepad. Please copy it's contents and post that here in your next reply. Thanks!


  15. QUOTE ...First Quote:

    I tried to perform a complete scan and

    the software completely freezes my computer when scanning the following file.

    C:\Program Files\Common Files\Microsoft Shared\MODI\12.0\MSPFILT.DLL

    I do not know if this file has a problem but the application forced a hard reset which is not too good in any case.

    ...Next Quote:

    Files Infected:

    C:\Windows\assembly\GAC\Desktop.ini (Rootkit.0access) -> Delete on reboot.

    Problem

    At this time, the windows licensing processus have been corrupted and the OS continuously asks me to authenticate my OS with my product key.

    All attempts to activate fail. Even Microsoft support failed to reactivate my OS.

    Is there something Malwarebytes did that can be recovered so that my licensing processus function proporly?


    As to the first quote above...that file you reference is harmless. It's part of Microsoft Office's Image Filter library for document Imaging. The freeze issue may be totally unrelated.

    As to the second quote above...possibly. One way to find out is simply to open MalwareBytes, click the "Quarantine" tab and restore the file that MBAM removed which caused your Microsoft Authentication issue. Please be sure to restore ONLY that one file (referenced in the quote above labeled "Problem") that was removed just prior to this becoming an issue.

    One big problem I noticed first is the packed drive. Your operating system needs a bit more breathing room. According to the size of your hard disk, your Windows drive partition needs at the minimum, 33 gigs of free space...keep in mind, this is minimum. More than that is ideal, but you have in fact, 2 gigs less. To remedy this, you would need to uninstall/remove/delete things you KNOW with certainty that you don't need. I would suggest that if you have files/folders/documents that you created, please consider placing them on removable media. Such things as music and video can be huge files that would be good candidates for removal.

    Did you install, and do you use LogMeIn and GoToMeeting? They're fine to use if you did, just be certain to use strong passwords...but if you did not, uninstalling them is the best idea.

    Backup software can quickly add up so keeping an eye on this is most important. If you create backup copies using such software, look into the prospect of keeping these on removal media.

    I can also suggest removing these:

    SUPERAntiSpyware

    ESET Online Scanner v3

    ...they are fine to use but for your purposes at this point, they can be removed to help free up needed disk space.

    On your next reply, please post a fresh DDS scan log. Tell us what issues remain and please answer if you created this proxy setup:

    uProxyServer = fpro.rtss.qc.ca:8080

    Thanks!


  16. As this member reports having resolved the issue, this thread is closed to prevent others from posting here.

    Other members who need assistance please start your own topic in a new thread. Thanks!

    The fixes and advice offered in any thread on this help forum should be considered to have been constructed solely for the machine referenced in the particular help thread. Do not attempt to apply any instructions from this "help" thread to your own machine unless YOU are the author of the particular thread that you are reading. Instead, please start a new thread describing your issue and someone will be along to assist you.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.