Jump to content

***False positive Trojan.Downloader.ED***


Recommended Posts

  • Replies 361
  • Created
  • Last Reply

Top Posters In This Topic

Can anyone help me futher? (post #284)

So far I am in safe mode with networking, however I can not get a connection. The dll errors seem to have disabled that, among other things. Such as searching from the task bar. If I search, nothing shows up.

I am still trying to get rid of this dll first and formost in order to try and login:

C:\Windows\system32\FACredProv2.dll

I have tried to remove the softare, FastAcess in order to remedy that (no longer need the sotware) but you can't remove anything in safemode. Then I tried this tutorial in order to bypass the problem.

http://www.sevenforums.com/tutorials/117840-uninstall-remove-software-safe-mode.html

It requires me to search from the taskbar, which is impossible as stated before.

I have also tried locating the files with a right click to find their location and just deleting them manually. (note: I could not find the dll in question, so this didn't work. I have restored the files sence then)

Link to post
Share on other sites

Can anyone help me futher? (post #284)

So far I am in safe mode with networking, however I can not get a connection. The dll errors seem to have disabled that, among other things. Such as searching from the task bar. If I search, nothing shows up.

I am still trying to get rid of this dll first and formost in order to try and login:

C:\Windows\system32\FACredProv2.dll

I have tried to remove the softare, FastAcess in order to remedy that (no longer need the sotware) but you can't remove anything in safemode. Then I tried this tutorial in order to bypass the problem.

http://www.sevenforums.com/tutorials/117840-uninstall-remove-software-safe-mode.html

It requires me to search from the taskbar, which is impossible as stated before.

I have also tried locating the files with a right click to find their location and just deleting them manually. (note: I could not find the dll in question, so this didn't work. I have restored the files sence then)

Where it says to search, instead try the Windows key+R and type in what they ask you to in the Run box instead.
Link to post
Share on other sites

I finally got into recovery mode and tried to launch the fix, but I get the following errors when I try to do it , I titled it MBAMFIX. MBAMFIX>FIXTOOL.EXE/PMOFF The subsystem needed to support the image type is not present. C:\MBAMFIX>fixtool.exe/ quarantine - list ; grep "file.trojan[.]Downloader[.] ED." ; sed-e./file Trojan etc..... the subsystem needed to support the image type is not present. What do I do now please?

Link to post
Share on other sites

@jackwoe I believe you need to be online for the fix tool to work. I don't think it will work in the recovery console. If you can get into safe mode with networking, try it there. I think that might help.

---------

As for myself. I finally deleted the program FastAcess and was able to boot normally. Still getting dll errors and can not connect online (if you need to know what kind of errors, ask and I'll write them out)

Still, tried running the fix but to no avail. Any ideas?

thanks.

Link to post
Share on other sites

I've been back and forth with support, when I booted to safe mode with networking, my PC locked up on the PCI devices listing. Support told me to reload my xp disk, but since I seem to be frozen at the devices list, that obviously didn't work. When I rebooted, the same devices list is there. So...I'm stuck. There's nothing I can do. I could take my PC in for service, but it will likely cost a couple hundred bucks. At this point, since my PC is about 5years old, I'm probably going to buy a new one. I'm so disappointed this happened, I've recommended mb to everyone I know, now this. Will mb help me pay for this? It has completely totalled my PC. Unbelievable.

Link to post
Share on other sites

  • Root Admin

@KunichiMinamino

Please list out the exact errors or missing files it says when the computer boots up into Normal Mode

I'll be out of town most of the day tomorrow but I'll assist you further once I get home

Thank you

@jackwnoe

Please see my reply in your othter post and please stay with one topic only as it makes it harder to help you.

Thanks

Link to post
Share on other sites

  • Root Admin

@turk621

I'm sorry about the issues you're having and if you want I will try to assist you with getting the computer working.

Please provide me with more detail on what issues you're having as well as what errors you're seeing. Are you able to boot into either Safe or Normal Mode?

If so please try to run the following and post back the logs and also let me know the errors and issues you're having.

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop

dds.scr

dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool, on Vista or Win 7 right click and select Run as administrator

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.


    When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply: DDS.txt and Attach.txt
    You can ignore the note about zipping the Attach.txt file in most cases.

Thank you

Link to post
Share on other sites

First of all, I'd like to point out I reDLed Malwarebytes today, after this whole fiasco,

Turns out, it still gave out false positives and deleted important files, such as system32 and etc. So you guys should probably check up on that.

I'm using Windows XP

My desktop is wiped, I only see a wallpaper and cursor. It tells me

"This copy of Windows must be activated with Microsoft before you can continue. You cannot log on until you activate Windows."

So in other words, I can't access anything, even in safemode/safemode with networking.

When I try to activate windows, it goes like this:

-Do you want to activate windows now?--I choose Yes, let's activate Windows over the internet now.

-Do you want to register and activate Windows at the same time?-- I choose nom let's just activate Windows.

"Checking for connectivity"

I can now choose to automatically detect settings, or proxy server, I choose auto detect.

"Checking for connectivity"

~Unable to establish a connection with the activation server. Please check your network settings and confirm that you are able to connect to the internet, then try again."

I am connected, or at least I was before this mess, and I can't really check if I am or not now.

I'm guessing I need to reinstall entirely with a windows disc?

If anyone has any solutions or helpful advice, feel free to add, thanks~

And again, this happened with the current version of malwarebytes on their website, that I downloaded maybe 3 hours ago, which would make it April 19th pst.

Link to post
Share on other sites

  • Root Admin

@SlayerJuan

Please just relax and don't do anything drastic. I'm sure we can get your computer running okay again it will just take time.

Running another scan on a computer that has multiple core operating systems could itself cause a false positive so not a good idea to do a scan until asked to.

STEP 01

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from here
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Use the default install settings but say NO to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.

    [*]Make sure that at least the first two check boxes are selected.

    [*]Click on OK

    [*]Then click on YES to create the folder.

Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

STEP 02

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

STEP 03

Next, Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop

dds.scr

dds.com

Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click dds.scr or dds.com to run the tool, on Vista or Win 7 right click and select Run as administrator

Click the Run button if prompted with an Open File - Security Warning dialog box.

A black DOS console should open and run for a moment.


    When done, DDS will open two (2) logs:

    1. DDS.txt
    2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply: DDS.txt and Attach.txt
    You can ignore the note about zipping the Attach.txt file in most cases.

It is quite late here about 2:30AM so I'm going to bed and I'll be out of town tomorrow but please be patient and either someone else will assist you, or I will assist you later tomorrow night once I get back in.

Thank you

Link to post
Share on other sites

@KunichiMinamino

Please list out the exact errors or missing files it says when the computer boots up into Normal Mode

I'll be out of town most of the day tomorrow but I'll assist you further once I get home

Thank you

Okay, here are the missing dll files that pop up when I log in.

FLVservice.exe

C:\Windows\WinSxS\x86_microsoft.v90.crt_lfc8b3b9a1e18e36_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCR90.dll

(forgot what exe this was, but it's for the printer)

C:\Program Files\DellV305\dldtDRS.dll

ASPDseamon.exe

C:\Program Files\Common FIles\Apple\Apple Application Support \libicuuc.dll

(I think this one actually came up twice)

iTunes Helper.exe

C:Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934febcb7eb57\MSVCR9O.dll

I"m also going to include a dll error when trying to establish a connection, I think it has something to do with the wizard. This one doesn't come up at startup, but it prevents me from connecting.

c:\Windows\system32\xwtpw32.dll

Link to post
Share on other sites

If anyone wants to try this, it worked for me. I only thought of it moments before I restoring with a ghost image, but there was still to much corruption in the end so I just restoring.

At the black screen with a cursor, I was able to get a cmd prompt and run the MBAM fix tool using (W7 x64 Ultimate & Home Pre)

I had 2223 (DETECTION Trojan.Downloader.ED QUARANTINE) entries in the logs, I think its safe to say no one should realistically be expecting to run the tool and come back clean, if ever.

Hope this helps someone, please let me know if you guys have any success with this.

1) Get yourself a copy of Hirens Boot CD (boot into their Mini XP) - This will make things easier, but you can do copy, rename however you want.

2) Once booted into Hiren, Navigate to system drive\Windows\System32

3) Rename \Windows\System32\taskmgr.exe --> taskmgr.exe_oem

4) Rename \Windows\System32\sethc.exe --> taskmgr.exe

4wtf) You’re asking yourself wtf, I know... But read on

5) Exit Hiren, boot normally

6) Arrive at black screen with Cursor

7) Hit Shift Key 5 times in a row (This by default launches sethc.exe) So....

8) You should now get Windows Task Manager (If you have COMCTL32.DLL missing then that may foobar this entire wokraround) - If not Continue on...

9) In task manager, File "New Task", enter cmd.exe, make Sure to have elevated checkbox checked off

10) You should get a cmd prompt now, and should be able to navigate to and execute \mbam-repair-1.08.0.1000\RunThis.bat

For W8 users instead of sethc.exe - its C:\Windows\System32\EaseOfAccessDialog.exe

The enterprise I manage has over 15k clients, and we were debating on implementing MBAM - lol

My only real question is what does MB plan to do in order to re-pay and/or compensate its own user base for their time wasted repairing the damage caused by their faulty heuristics

0XM000

MCITP,MCSE,MCSA,MCAD

Link to post
Share on other sites

I wanted to post my experience with this issue. I was using my Windows 7 desktop when the problem hit - I saw an alert from Malwarebytes, clicked on it then saw another. At that point I tried to open Malwarebytes from the tray icon but it did not respond (now I know it was very busy quarantining files). I kept trying to open it and kept getting no response.

So I suspected that malware had hit my computer and had disabled/screwed Malwarebytes. So I immediately forced a shut down. On restart I had a catastrophic failure as the login facility was disabled.

I then started my Windows 8 laptop to see if the same issues appeared there, but fortunately I stopped it starting as I suddenly had the thought that this could possible be a problem with false positives from Malwarebytes. Just as well I stopped it or it would have been hosed as well!!

I started up an old XP netbook that did not have MB installed and had a look at the MB forum then discovered the problem was a MB update.

Back to my desktop - I put a recovery disk in and did a System Restore. The system then started OK, but Windows Update failed to work and SFC refused to start. With those key procedures failing I had grave suspicions about the integrity of my system. I summarised that it may be possible to apparently repair the system, only to find some other component failing later.

I tried to restore a Windows 7 Backup disk image and that failed!!!!

So I re-formatted and reinstalled Windows, software and data (which I backup separately). This took a couple of days work, but my system is now a bit livelier so I am happy. But had I also lost my Windows 8 and Windows 7 laptops I would not have been impressed!

I suspect that Malwarebytes tied itself up in knots because there were so many files being quarantined.

I have temporarily disabled Malwarebytes file system protection on all my computers.

I would like to know if the quality control procedures promised by you have been implemented yet. If so I will re-enable protection.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.