Jump to content

Recommended Posts

I've had an MBAM full scan running for almost 27 hours, which has scanned over 4.3 MILLION objects and found 27 infected objects.

Is it normal for a full scan to take this long? Alot of the recent files/folders have been in c:\windows\$NtServicePackUninstall$\*.*

HISTORY

I've got an IBM Thinkpad from a friend who had terrible virus troubles mostly centered around "Internet Security 2010" that I'm trying to clean up for them.

MBAM "full scan" would not work at first, only "quick scan" so Iresorted to running ComboFix. Once Combofix was done, I was then able to get MBAM's full scan to run. It has now been running a long time as described above.

Link to post
Share on other sites

Hello TRS-80, and welcome to the forums here at Malwarebytes.org :)

Did you clean out the temp files first? If not, I can link you to a tool that is a very small size and quickly clears out unnecessary temp files.

Also, usually a quick scan is all that is needed :lol:

My full scan takes between 45 minutes and an hour and 40 minutes. It really depends on the system, how many files are on it, how old it is, and things like that.

27 hours is a really long time though.

When replying, please use the "ADD REPLY" button, as this makes the forum easier to read. Thank you :)

Link to post
Share on other sites

Pausing the scan will not hurt if you want to go and run that clean up tool. But most of us here on the forum prefer to do the cleanup first, before we do a full scan.

Also I hardly ever do a full scan. A quick scan is much faster and it will catch the malware and help you remove it. The quick scan only scans the most common areas that malware will reside in.

Link to post
Share on other sites

I did quick scans first because MBAM never could do a full scan without the system rebooting...

My quick scans did find some things early on, but the last one I did showed that it found 0 infections... whereas the full scan that is currently still running has found 27 infected objects (over 28 hours and after scanning over 4.5 MILLION objects).

I'm just afraid to abort the scan after investing 28 hours into it.

Q: Should I delete the c:\Windows\$NtServicePackUninstall\*.* directory?

Q: Once the scan in paused, can I put the computer (IBM Thinkpad) into hibernation and pick up the scanlater? The reason I'm asking is that I've been working on this for 3 days at my office, but will be gone for a couple of days and I don't want to leave it here unattended.

Link to post
Share on other sites

  • Root Admin

No you should not delete those files and folders indiscriminately. I would recommend the following assuming you're on Windows XP

STEP 01

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

STEP 02

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup227_slim.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files and Cookies if you want to keep them.
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 03

Restart the computer one more time.

STEP 04

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log here please.

You will probably more than likely need to finish up though i the HJT forum where a Helper can assist you in Detection and Removal of Malware as we do not work on any logs of active Malware in this forum.

Link to post
Share on other sites

HALELUJAH!

After almost 30 hours, the scan finally finished and allowed me to view the scan results and subsequently to delete/remove the infections.

I'm going to run a couple other scanners to see if they find anything else, but it looks lie this may be coming to an end.

Link to post
Share on other sites

It should produce a LOG file and I would still like to see that log please. You can post it directly or if it's too large you can attach it as a TXT file.

Here it is... the infamous 28 hr 40 minute long MBAM session.

Malwarebytes' Anti-Malware 1.44

Database version: 3640

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

1/27/2010 5:14:39 PM

mbam-log-2010-01-27 (17-14-39).txt

Scan type: Full Scan (C:\|)

Objects scanned: 4711877

Time elapsed: 28 hour(s), 40 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 27

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP190\A0031573.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP190\A0031581.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP190\A0035609.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP192\A0035631.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP192\A0035622.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP192\A0035640.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP192\A0035649.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP193\A0036663.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP193\A0035658.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP193\A0036671.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP193\A0036678.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP193\A0036686.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP193\A0036694.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP194\A0037704.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP194\A0037730.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP194\A0037731.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP194\A0037734.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP194\A0037735.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP194\A0037736.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP194\A0037739.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP194\A0037751.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP194\A0037752.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP194\A0037750.dll (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP194\A0037840.sys (Malware.Trace) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP194\A0037907.sys (Malware.Trace) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP194\A0038006.sys (Malware.Trace) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{9C3C10F4-7445-4686-B542-9472C037397F}\RP194\A0038156.sys (Malware.Trace) -> Quarantined and deleted successfully.

Link to post
Share on other sites

From the looks of your log file the only thing it found was in your restore points. You should be ok.

Usually after an infection, and a clean up job, you want to delete all your restore points, due to the fact that if you had to do a system restore to a previous date, you would also be restoring the malware. With that said, delete your restore points, and then create a new restore point and you should be set.

Link to post
Share on other sites

TRS-80,

Just to add to what Firefox said, don't forget to restart after you clear your restore points. :lol:

As for the temp file cleaner I told you about:

  • Please download ATF Cleaner by Atribune to your desktop or to a folder convenient for you. Information about it can be found here.
  • Once its finished, you should see a blue trashcan on your desktop or to a folder convenient for you.
  • Double click, and accept the prompt by clicking Run. If running Vista or 7, please right-click and choose "Run as Administrator".
  • Click the "select all" check box at the bottom, and if you don't want to clear your Recycle Bin, make sure you uncheck that. Then, click "Empty Selected".

If you use Firefox or Opera, click on those names at the top. Do the same thing, choosing select all. If you have saved passwords that you'd like to keep, click NO at the prompt. Again, click "Empty Selected". I recommend running ATF cleaner at least once a week :)

Link to post
Share on other sites

  • Root Admin

You also need to update to Service Pack 3 but since this post is going beyond normal information that this forum is for I will close this post.

If you need further assistance for general PC support please start a NEW topic in the PC Help forum and they people there will be able to assist you.

Thank you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.