Jump to content

undo mbar changes to recycle bin; also, how to uninstall mbar?


Recommended Posts

Hi,

 

First, the relevant log:

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1007
www.malwarebytes.org

Database version: v2013.10.17.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
anonymous :: ANON [administrator]

10/17/2013 4:37:16 PM
mbar-log-2013-10-17 (16-37-16).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 207985
Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 15
HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELL\Evidence Eliminator Quick Mode (Rogue.EvidenceEliminator) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} (Rogue.EvidenceEliminator) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} (Rogue.EvidenceEliminator) -> Delete on reboot.
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} (Rogue.EvidenceEliminator) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELL\Evidence Eliminator Safe Restart (Rogue.EvidenceEliminator) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELL\Evidence Eliminator Safe Shutdown (Rogue.EvidenceEliminator) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\SHELL\Evidence Eliminator Safe Recycle (Rogue.EvidenceEliminator) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} (Rogue.EvidenceEliminator) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} (Rogue.EvidenceEliminator) -> Delete on reboot.
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} (Rogue.EvidenceEliminator) -> Delete on reboot.
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DESKTOP\NAMESPACE\{645FF040-5081-101B-9F08-00AA002F954E} (Rogue.EvidenceEliminator) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DESKTOP\NAMESPACE\{645FF040-5081-101B-9F08-00AA002F954E} (Rogue.EvidenceEliminator) -> Delete on reboot.
HKLM\SOFTWARE\CLASSES\FOLDER\SHELLEX\CONTEXTMENUHANDLERS\Evidence Eliminator (Rogue.EvidenceEliminator) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\CLASSES\FOLDER\SHELLEX\CONTEXTMENUHANDLERS\Evidence Eliminator (Rogue.EvidenceEliminator) -> Delete on reboot.
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Evidence Eliminator (Rogue.EvidenceEliminator) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\$Recycle.Bin\S-1-5-21-1806240336-1548989040-4130404775-1001\$RRM5JCY\V01.log (Extension.Mismatch) -> Delete on reboot.

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

 

**************

 

It appears that mbar has corrupted the recycle bin.  The recycle bin icon has been replaced with a generic document icon and cannot be changed.  The right click menu contains only Open, Create Shortcut, Rename and Properties.  When Properties is selected it responds: The properties for this item are not available. 

 

Here is what I believed happened.  I was using Recuva to attempt to find some files.  I recovered a bunch of files, some of which were probably overwritten, and deposited these files in the Recycle Bin to remove later.  I imagine that one of these overwritten files led MBAR to an incorrect, false positive "Extension.MIsmatch."

 

The Recycle Bin is otherwise functional, but I cannot restore the icon.  My question is how do I undo whatever MBAR did? I imagine it's a registry entry issue...

 

Finally, how does one uninstall MBAR.  This should be made clear. 

 

Thanks. 

Link to post
Share on other sites

  • Root Admin

Please see the following article on how to restore the default Recycle Bin icon.

 

How To Restore Recycle Bin In Windows 7

 

EvidenceEliminator had taken over the registry setting CLSID 645FF040-5081-101B-9F08-00AA002F954E

 

Just reboot the computer and then you should be able to delete the folder where you ran MBAR from.

 

You should be able to download and save the attached zip file to your computer.  Then open the zip file and double-click on the registry file inside and it should then restore the Recycle Bin icon and operations.  You'll then need to reboot to see the changes.

 

RestoreRecycleBin_Icon.zip

Link to post
Share on other sites

Thanks, the regedit file restored the Recycle bin. 

 

Still confused about the Extension.Mismatch.  Can you shed any light on it?  I believe it's happened once before with an MBAM scan -- I can probably reproduce it if necessary. 

 

Finally, I ran the advanced command line MBAR instructions -- all 3 of them -- hoping that would help.  Should I simply delete this mbar and then re-download a fresh copy if I want to use it in future?

 

Thanks again for the prompt response.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.