Jump to content

Win32.AutoRun.tmp & Spyware.OnlineGames, Two problems now

Kay

By Kay
in Resolved Malware Removal Logs

 Share

Recommended Posts

Kay

Kay

Posted
  • Author
Posted

Hi Chris,

There is only one account on the computer so I assume I am the administrator.

This all happens at startup: (From my message #17:) "A balloon comes up from the tray: Windows has blocked some startup programs. Windows blocks programs that require permission to run when windows starts. Click to view blocked programs. Choices are:

Show or remove blocked startup program

Run blocked program

View Help

Exit

When I click on Show or remove blocked startup programs, I get the System configuration window with 5 tabs: General, Boot, Services, Startup and Tools.

Looking at the Startup and Services tabs, MBAM is shown as enabled and running -- which it is not because I have not yet selected Run blocked program. Then I have to give permission for MBAM to run."

I assume MBAM is not running since I have to give permission via tab shown in the 2nd picture.

While I was typing this, MBAM ran a flash scan and *Spyware.OnlineGames* is back. That is what caused me to start this thread and *Win32.AutoRun.tmp* was the second reason.

So actually there are three things going on: Spyware.OnlineGames (detected by MBAM), Win32.AutoRun.tmp (detected by Spybot S & D), and MBAM blocked at startup.

_________________________________

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5364

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18999

12/20/2010 6:10:36 PM

mbam-log-2010-12-20 (18-10-36).txt

Scan type: Flash scan

Objects scanned: 96550

Time elapsed: 1 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\temp\NOD1.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.

________________________________________

Eveyday when I start up the computer, I run Spybot to *fix* Win32.AutoRun.tmp. Obviously it is not fixed since it reappears each time the computer is started.

Thanks, Kay

Link to post
Share on other sites
  • Replies 80
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi Kay,

All right-- let's tackle things one at a time.

A few things I'd like to mention before we continue:

First, Spybot's "detection." Spybot keeps saying one Registry key is remaining and that it is infected. Even if it were a real detection, it wouldn't mean anything because there is no file associated with it; meaning, it's not an active infection. We used ComboFix to remove the entry if it existed, but the detection persisted. Seems it's either a bug with Spybot, or more likely, TeaTimer is restoring that Registry key, because that's what it does: restore Registry keys and block Registry changes (like it's doing).

Did you end up running the ResetTeaTimer.exe?

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted

Hi Chris,

No, I did not run ResetTeaTimer.exe because the link you gave me was not working. I did find a link in a thread that Maniac was working on, but was waiting to see what you had to say about it since it is in a foreign language and I have forgotten which one. (http://forums.malwarebytes.org/index.php?showtopic=70419, msg #19) Shall I go ahead a use it?

I am not at my computer and have to leave for a couple of hours. So it will be later this afternoon before I can get to this.

Thanks, Kay

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted

Hi Chris,

OK. So I ran ResetTeaTimer.exe:

1. I booted up my computer, ignored blocked startup msg; ran Spybot as administrator and disabled SDHelper and Teatimer.

2. I rebooted the computer, downloaded ResetTeaTimer.exe from one of Maniac's msg threads that I mentioned before. Clicked twice on the ResetTeaTimer.exe and a small window opened that said that SDHelper and Teatimer couldn't be located, press any key and the .exe ran.

3. I ran Spybot scan and it detected Win32.AutoRun.tmp and I *fixed* it again.

4. I rebooted the computer twice and enabled Teatimer and SDHelper, ran a scan and Win32.AutoRun.tmp was detected again and fixed again.

While I was running the Spybot scan, MBAM ran a flash scan and nothing was detected. The blocked startup balloon came up twice and I ignored it. So I guess this means that MBAM does run just not at startup.

Kay

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi Kay,

1. Uninstall Malwarebytes' Anti-Malware using Add or Remove programs in the Control Panel.

2. Restart your computer (very important).

3. Download and run this utility.

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from here.

Note: You will need to reactivate the program using the license you were sent via e-mail if you purchased it.

See if it is still blocked at startup.

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted

Hi Chris,

I followed your instructions and removed, rebooted, and reinstalled MBAM and reactivated the program with my ID and registration.

I then had to do a repair on ESET because I was getting a warning from Windows Security that it is was not activated. The repair took care of that problem.

MBAM is still blocked at startup, Spyware.Online Games.tmp was detected.

______________________

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5385

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18999

12/23/2010 1:29:03 PM

mbam-log-2010-12-23 (13-29-03).txt

Scan type: Flash scan

Objects scanned: 96516

Time elapsed: 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\temp\NOD1.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.

___________________________

Spybot is still detecting Win32.AutoStart.tmp after startup.

Kay

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Hmm. Maybe the infection is still hiding after all.

Please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Run it and post its log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted

Hi Chris,

Here are the 3 logs you requested:

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-12-23 20:53:34

Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD501LJ rev.CR100-13

Running: gmer.exe; Driver: C:\Users\JANEDO~1\AppData\Local\Temp\axrdrfow.sys

---- System - GMER 1.0.15 ----

SSDT 84D3BB70 ZwAllocateVirtualMemory

SSDT 8576B3C8 ZwCreateProcess

SSDT 8576B1C0 ZwCreateProcessEx

SSDT 84D3BE40 ZwCreateThread

SSDT 84D3BBE8 ZwQueueApcThread

SSDT 84D3BA80 ZwReadVirtualMemory

SSDT 84D3BCD8 ZwSetContextThread

SSDT 84D3BF30 ZwSetInformationProcess

SSDT 84D3BD50 ZwSetInformationThread

SSDT 84D3BEB8 ZwSuspendProcess

SSDT 84D3BC60 ZwSuspendThread

SSDT 84D3BFA8 ZwTerminateProcess

SSDT 84D3BDC8 ZwTerminateThread

SSDT 84D3BAF8 ZwWriteVirtualMemory

SSDT 84D3B990 ZwCreateThreadEx

SSDT 84D3BA08 ZwCreateUserProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 131 81EE8894 4 Bytes [70, BB, D3, 84]

.text ntkrnlpa.exe!KeSetEvent + 209 81EE896C 8 Bytes [C8, B3, 76, 85, C0, B1, 76, ...]

.text ntkrnlpa.exe!KeSetEvent + 221 81EE8984 4 Bytes [40, BE, D3, 84]

.text ntkrnlpa.exe!KeSetEvent + 4E5 81EE8C48 4 Bytes CALL 1A736008

.text ntkrnlpa.exe!KeSetEvent + 4FD 81EE8C60 4 Bytes [80, BA, D3, 84]

.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2300] ntdll.dll!KiUserExceptionDispatcher + A 77705DD2 5 Bytes JMP 00017DB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))

.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2300] kernel32.dll!VirtualProtect 76081DC3 5 Bytes JMP 000169B0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))

.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2300] kernel32.dll!LoadLibraryExW 760A9109 5 Bytes JMP 00016000 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))

.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2300] kernel32.dll!VirtualFree 760C40AA 5 Bytes JMP 00016990 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))

.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2300] kernel32.dll!VirtualAlloc 760CAD55 5 Bytes JMP 00016960 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))

.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2300] kernel32.dll!CreateFileA 760CCE5F 5 Bytes JMP 00016000 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[2528] kernel32.dll!SetUnhandledExceptionFilter 760AA84F 4 Bytes [C2, 04, 00, 00]

.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[2760] kernel32.dll!CreateThread + 1A 760CC928 4 Bytes CALL 00450771 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [742A7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [742FA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [742ABB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7429F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [742A75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7429E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [742D8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [742ADA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7429FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7429FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [742971CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7432CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [742CC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7429D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74296853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7429687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Windows\Explorer.EXE[500] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [742A2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396

ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[2760] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [004508C8] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)

IAT C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[2760] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [004508C8] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

AttachedDevice \FileSystem\fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb 0 bytes

---- EOF - GMER 1.0.15 ----

_________________________________

ComboFix 10-12-23.05 - Jane Doe 12/23/2010 21:03:23.4.4 - x86

Microsoft

Link to post
Share on other sites
HH89

HH89

Posted
Posted

Hey guys, I've also started getting this same "Win32.AutoRun.tmp" Trojan detection from Spybot in the same location in the registry. I believe there's a good chance this might be a bug/glitch in Spybot that starts detecting this after you use MBAM to quarantine and delete a file. I've been able to recreate this exact same detection on another computer.

I've made a post on it here: http://forums.malwarebytes.org/index.php?showtopic=71138

And have also cross posted it over to the F/P forum, thread shown here: http://forums.malwarebytes.org/index.php?showtopic=71140

I suggest you guys take a look.

Kind regards,

- HH89

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted

Hi Chris,

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Perform a scan with both MBAM and Spybot and see if the detections persist.

I followed your instructions and ran both scans in Safe Mode. I then remembered that I hadn't updated MBAM before I did this; so I updated MBAM and rebooted into Safe Mode again and reran the scans.

The first time MBAM detected Spyware.OnlineGames and Spybot detected Win32.AutoRun.tmp. The second time after updating MBAM, only Spybot detected Win32.AutoRun.tmp.

While I was rebooting, I had the following screen dislpayed twice. I assume this just means that I didn't wait long enough to reboot.

post-2329-1293313747_thumb.jpg

________________________________

I'll have to put the Spybot log in the next post. Here is the MBAM Log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5391

Windows 6.0.6002 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18999

12/25/2010 11:22:26 AM

mbam-log-2010-12-25 (11-22-26).txt

Scan type: Quick scan

Objects scanned: 200855

Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\temp\NOD1.tmp (Spyware.OnlineGames) -> Quarantined and deleted successfully.

____________________________________

Kay

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted

Hi Chris,

The Safe Mode Spybot scan is too large to copy and paste; so I will attach it. Interestingly, when I was trying to put the scan in my message, my computer would slow down. I had to wait for each letter that I typed to appear.

SpybotSD.Report.zip

One thing that I have failed to mention is that when I run SpyBot as Administrator, Spybot indicates that there are a temporary files to delete (the highest #: 82,000+) and I choose to let the files be deleted and the scan then runs. The number of files depends on how long the computer has been on.

Thanks, Kay

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted

Hi Chris,

I ran across this thread (http://forums.spybot.info/showthread.php?t=60940) on a Spybot forum where the inquiry is about the same issue I have detected in Spybot and asking if it is a F/P. Part of the forum moderator's response: "this does not look like a false positive, there should be no entry associated with the taskmanager in Winlogon. Please attach the whole Spybot S&D report to your next post or attach it to an email to detections@spybot.info".

It would be nice to know what they determine.

Kay

Link to post
Share on other sites
HH89

HH89

Posted
Posted
Hi Chris,

I ran across this thread (http://forums.spybot.info/showthread.php?t=60940) on a Spybot forum where the inquiry is about the same issue I have detected in Spybot and asking if it is a F/P. Part of the forum moderator's response: "this does not look like a false positive, there should be no entry associated with the taskmanager in Winlogon. Please attach the whole Spybot S&D report to your next post or attach it to an email to detections@spybot.info".

It would be nice to know what they determine.

Kay

Hey Kay,

My Spybot has started picking up the same detection, and I think there's a good chance it may be some bug or F/P with Spybot.

I've posted about it here http://forums.spybot.info/showthread.php?t=61005 and am just waiting on someone from the Spybot team to reply.

I've also posted it here on the MBAM forums (see my first post in this thread for links).

The reason why I think this is a FP is because I have been able to recreate this same detection on another computer. Basically once you use MBAM's function to quarantine a file, then Spybot will start detecting "Win32.AutoRun.tmp". I tried this on a clean computer with a file that MBAM detects as a PUP (potentially unwanted program). The moment I use MBAM's function to quarantine/delete a file, is when Spybot starts picking up the "Win32.AutoRun.tmp".

So with my limited knowledge, im guessing its either because:

1. MBAM creates a "taskman" registry value in Winlogon whenever you use its quarantine/delete function. And if Spybot finds any entries associated with taskman in Winlogon, it will auto flag it as a trojan?

2. The file I tested it on will auto release a trojan to the registry, if it detects that MBAM is trying to quarantine/delete it. (However, I think this is unlikely as Avast and Eset online scanner are both picking up nothing).

3. Some other bug with Spybot that happens whenenver you use MBAM to quarantine files.

Kind regards,

- HH89

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted

Hi Chris,

It looks like the Spybot forum is confirming Win32.Autorun.tmp as a F/P and will correct it in their next detection update. Hopefully this will be soon as I've spent 17 days not having full use of my computer.

http://forums.spybot.info/showthread.php?t=61021

Thanks also to HH89.

Now I'll have to wait and see if MBAM is still blocked on startup after the F/P in Spybot is taken care of.

Thanks, Kay

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted

I will do that if MBAM is still being blocked; I think Spybot updates in the middle of the week.

Thanks, Kay

Great work guys confirming this issue!

Kay, do let me know if MBAM is still blocked afterward the next update happens.

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted

Hi Chris,

Alright. Well I'll keep this topic open and I'll be notified the next time you reply.

1. Booted up computer, MBAM updated along with ESET, enabled blocked MBAM

2. Updated Spybot, had some problems, received *Bad Checksum* on one item so I went to Safer-Networking website and did a manual update. Had Program Compatability Assistant pop up:

post-2329-1293649689_thumb.jpg

Selected *Reinstall using recommended settings.* Rebooted.

4. Ran Spybot, window popped up asking to remove 65,538 temporary files before running scan - Nothing detected.

5. Rebooted and MBAM is still blocked from starting up, scan was clean:

post-2329-1293649985_thumb.jpg

post-2329-1293650075_thumb.jpg

The services tab shows MBAM as stopped.

The last few days, I have come back to the computer after a couple of hours and had a screen message that the comptuer has recovered from an unexpected shutdown - can check for solution but nothing shows on the screen. There is a mini dump created if I remember correctly, but I don't know how to access from Win Explorer. I suspect this is M$ info - maybe not useful to you.

Thanks, Kay

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted
Let me consult with our developers and I'll be back with you as soon as possible.

Hi Chris,

I just came home after being gone for a couple of hours - unexpected computer shutdown again and MBAM shows blocked from startup.

post-2329-1293662604_thumb.jpg

Following is text from unexpected shutdown window:

Problem signature:

Problem Event Name: BlueScreen

OS Version: 6.0.6002.2.2.0.768.3

Locale ID: 1033

Additional information about the problem:

BCCode: 9f

BCP1: 00000003

BCP2: 84D30030

BCP3: 86C05030

BCP4: 85637970

OS Version: 6_0_6002

Service Pack: 2_0

Product: 768_1

Files that help describe the problem:

C:\Windows\Minidump\Mini122910-01.dmp

C:\Users\Jane Doe\AppData\Local\temp\WER-75738-0.sysdata.xml

C:\Users\Jane Doe\AppData\Local\temp\WER9720.tmp.version.txt

Read our privacy statement:

http://go.microsoft.com/fwlink/?linkid=501...mp;clcid=0x0409

I don't know if this is helpful or not...

Thanks, Kay

Shutdown.txt

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted

Hi Chris,

I'm afraid that wasn't the answer. Windows Defender is turned off; I double checked. I mentioned in my first message when the problems started that Windows Defender was somehow turned on and that I had disabled it again.

On the off chance that the F/P in Spybot was the culprit for MBAM being blocked, I uninstalled, used the removal utility, and reinstalled MBAM with ID and reg number. This didn't make any difference; it is still blocked at startup.

Kay

Hi Kay,

My apologies for the delay.

The block is coming from Windows Defender. To troubleshoot this, disable it as shown here:

http://www.vista4beginners.com/How-to-disa...indows-Defender

See if that will lift the block.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.