A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

malicious software removal tool



 
 
Thread Tools Display Modes
  #31  
Old September 21st 09, 08:10 PM posted to microsoft.public.windowsxp.security_admin
lopar
external usenet poster
 
Posts: 16
Default malicious software removal tool

Good news is that i have just downloaded KB915597 and no probs. If its
defender related then its not all defender updates. Won't know until 15th..It
sounds like you are running out of ideas to help further.... perhaps the
next step is to await 15 October therefore and see what happens then.
Thanks for your continued support.
Pl page down for other comments on your post.

"1PW" wrote:

lopar wrote:
ok ran sas in safe mode, nothing except cookies found.. reran mwb and nothing
at all found.
ran search in explorer for cbs.log but nothing found with that name. search
included system files hidden folders and sub folders ??
did you see the mwb log i posted ?


I believe a reboot deletes the cbs.log file unless it's renamed before
the deletion occurs.

MBAM

Yes - I saw two Trojans and you also related the download3000 thing.
I was hoping for a better outcome. However, the other things you have
mentioned along the way leads me to believe that more serious damage
has taken place.

very cryptic - like, what sort of damage?
i take it you advise me to uninstall the s/saver ? Is there any way to
retain it and fix the problem ?

If the malware removals by MBAM and Shenan Stanley's cleanup procedure
do not eliminate your repeating trouble, I believe a "Flatten and
Rebuild" procedure is the next reasonable step.

don't know what flatten and rebuild is but it sounds hideous.....
as i said, Shenan's comments, whilst appreciated, may be a step too far for
me. I only get an hour or so between work and family commitments to do this
stuff - his "8 to 10 hours" post would be a big deal for me and would be
warranted only if there was a major system problem. At the moment, unless
there is something you are not telling me, its just an 'irritation' having to
restore so often. That is certainly not to say that his and your help isn't
welcome though.

I do hope you have your system's original install/recovery CDs.

it depends what you mean by "original". The OS was 98 which I upgraded to ME (installed over the top of 98), then upgraded to XP using an 'upgrade disk'. I still have the upgrade disk if thats what you mean. (Incidentally, when i did the scannow thing it repeatedly (about 10 times) asked for the disk to be inserted, even though it was inserted and was clearly reading from the disk. i had inserted the xp upgrade disk. Perhaps it didn't get any info from it ?? don't know if that is relevant).


"1PW" wrote:

lopar wrote:
i'm sorry i don't know how to access the cbs.log?
Do a search for it. When found, it can be read with Notepad.

--
1PW



--
1PW

Ads
  #32  
Old September 22nd 09, 08:53 AM posted to microsoft.public.windowsxp.security_admin
1PW[_4_]
external usenet poster
 
Posts: 188
Default malicious software removal tool

lopar wrote:
Good news is that i have just downloaded KB915597 and no probs. If its
defender related then its not all defender updates. Won't know until 15th..It
sounds like you are running out of ideas to help further....


You have related what amounts to permanent damage. I'm afraid nobody
has real solutions for what you reported.

perhaps the
next step is to await 15 October therefore and see what happens then.
Thanks for your continued support.
Pl page down for other comments on your post.


I suppose if you are willing to live with the state of your system for
an indefinite time, then the status quo might leave you without some
safety features.


"1PW" wrote:

lopar wrote:
ok ran sas in safe mode, nothing except cookies found.. reran mwb and nothing
at all found.
ran search in explorer for cbs.log but nothing found with that name. search
included system files hidden folders and sub folders ??
did you see the mwb log i posted ?

I believe a reboot deletes the cbs.log file unless it's renamed before
the deletion occurs.

MBAM

Yes - I saw two Trojans and you also related the download3000 thing.
I was hoping for a better outcome. However, the other things you have
mentioned along the way leads me to believe that more serious damage
has taken place.

very cryptic - like, what sort of damage?


Directories that are now capitalized as if they were recreated.

i take it you advise me to uninstall the s/saver ? Is there any way to
retain it and fix the problem ?


Anything from download3000 is potentially very dangerous.


If the malware removals by MBAM and Shenan Stanley's cleanup procedure
do not eliminate your repeating trouble, I believe a "Flatten and
Rebuild" procedure is the next reasonable step.

don't know what flatten and rebuild is but it sounds hideous.....
as i said, Shenan's comments, whilst appreciated, may be a step too far for
me. I only get an hour or so between work and family commitments to do this
stuff - his "8 to 10 hours" post would be a big deal for me and would be
warranted only if there was a major system problem. At the moment, unless
there is something you are not telling me, its just an 'irritation' having to
restore so often. That is certainly not to say that his and your help isn't
welcome though.


I apologize for the overuse of jargon. Flatten & Rebuild is the
process of using your original install media (your CDs) to preform a
format of your system's hard disk drive. Effectively this erases
*everything* that ever was there. Then an entirely new system is
built from your install/recovery media.

--
1PW
  #33  
Old September 25th 09, 08:24 PM posted to microsoft.public.windowsxp.security_admin
Twayne[_2_]
external usenet poster
 
Posts: 4,276
Default malicious software removal tool

"lopar" wrote in message

Every month, around the 15th, my profile settings are corrupted and I
have to do a system restore to get them back. The system generated
restore point immediately before this happens is labelled by the
system 'Software Distribution Service 3.0'. On looking into this it
seems that at some point I have accepted an EULA to download and run
something called Malicious Software Reporting Tool, and recently (a
few months ago) Microsoft announced that they would update this
program each month (the second Tuesday of the month) and it would
from then on automatically run a system check in the background for
malicious software. I checked on Google and there was one reference
to this potentially corrupting profile settings for users.
This would seem to be the cause of the problem therefore.
The solution on the Microsoft web page was to remove tool from the
automatic updates list, however this item is not listed on my
automatic updates (its not hidden either). I have therefore changed
my updates to notify me but not download or install. When the
program popped up a few days ago I did not therefore download it.
Yesterday however I did download a Windows Defender security update
(which I assumed was unrelated), however the system has now been
corrupted again.

Things I have done to try and fix this

1. Tried to remove it using add remove programs - it won't let you.
2. searched for the individual files in the directory to manually
delete them - they seemed to be system files and it wouldn't let me
3. I found a reference to this tool working in conjunction with
Windows Genuine Advantage, so I tried to remove that aswell as in 1
and 2 above - I did find some files but couldn't delete the main one.
4. did a registry search to try and find these files and deleted a few
entries to at least cause the program to fall over (I hoped), but
evidently that didn't work either.
5. checked my firewall (zone alarm) and blocked the malicious
software tool - no effect (couldn't find Software Distribution
Service in ZA so couldn't block that)
6. tried to find either program in the applications tray to disable
it there (control alt delete) but couldn't see it
7. tried to block it in Windows Defender (in the bit that lists all
programs running) but its not listed
8. contacted Microsoft help on email who were totally useless
9. tried to access their expert user (I assume a blog page) but the
system kept telling me my settings weren't right to access that
service. I changed the settings exactly as they suggested but I
still kept getting that message
10. in desperation rang them to enquire about paid support but they
told me they would charge £60 (even if it were a 2 minute job!). I
am not prepared to pay that for what is after all a Microsoft's bug !

The only other thing I can think of to do is to not download any
updates for Windows Defender either - assuming the 2 products are
related. However I won't know the outcome of that for another month
since it only happens once a month.
If it is still causing a problem then I can only assume that the
software is already installed and will run once a month anyway
without an update. If that's the case I need to know how to get into
the system files to disable it - surely there must be a way ??

Any help you can think of to give me would be very much appreciated -
I am certainly trying to fix it myself without asking anyone and have
spent many hours doing so, but I am at a dead end!

For info I am running Windows XP Home, SP3, with AVG and ZA.

Many thanks for your help.


When you get the downloads notification, use the Custom choice for
installing them. Then you can untick to receive the MR tool and maybe
even quit getting it offered to you by watching for the right box to
tick during the Custom install dialog.
It's always worked for me, anyway. I always look at what's about to
be installed anyway so I don't install things like IE, Silverlight, etc.
when they try to push them off as critical updates! You also get the KB#
in case you want to read about it before installing it.

HTH,

Twayne`



  #34  
Old September 25th 09, 08:27 PM posted to microsoft.public.windowsxp.security_admin
Twayne[_2_]
external usenet poster
 
Posts: 4,276
Default malicious software removal tool

"Peter Foldes" wrote in message

lopar

Do you have Zone Alarm installed? It is the cause of this issue.
Uninstall ZA before downloading the Malicious Software and any
Defender Updates. Best to remove ZA and use the built in Windows
Firewall which does a better job anyway


Funny; I have ZA and nary a problem with MSR tool, Defender, WGA or
anything else Microsoft. Wonder what the diff is? XP SP3+

Twayne`



"lopar" wrote in message
...
Every month, around the 15th, my profile settings are corrupted and
I have to do a system restore to get them back. The system
generated restore point immediately before this happens is labelled
by the system 'Software Distribution Service 3.0'. On looking into
this it seems that at some point I have accepted an EULA to download
and run something called Malicious Software Reporting Tool, and
recently (a few months ago) Microsoft announced that they would
update this program each month (the second Tuesday of the month) and
it would from then on automatically run a system check in the
background for malicious software. I checked on Google and there was
one reference to this potentially corrupting profile settings for
users. This would seem to be the cause of the problem therefore.
The solution on the Microsoft web page was to remove tool from the
automatic updates list, however this item is not listed on my
automatic updates (its not hidden either). I have therefore changed
my updates to notify me but not download or install. When the
program popped up a few days ago I did not therefore download it.
Yesterday however I did download a Windows Defender security update
(which I assumed was unrelated), however the system has now been
corrupted again. Things I have done to try and fix this

1. Tried to remove it using add remove programs - it won't let you.
2. searched for the individual files in the directory to manually
delete them - they seemed to be system files and it wouldn't let me
3. I found a reference to this tool working in conjunction with
Windows Genuine Advantage, so I tried to remove that aswell as in 1
and 2 above - I did find some files but couldn't delete the main one.
4. did a registry search to try and find these files and deleted a
few entries to at least cause the program to fall over (I hoped),
but evidently that didn't work either.
5. checked my firewall (zone alarm) and blocked the malicious
software tool - no effect (couldn't find Software Distribution
Service in ZA so couldn't block that)
6. tried to find either program in the applications tray to disable
it there (control alt delete) but couldn't see it
7. tried to block it in Windows Defender (in the bit that lists all
programs running) but its not listed
8. contacted Microsoft help on email who were totally useless
9. tried to access their expert user (I assume a blog page) but the
system kept telling me my settings weren't right to access that
service. I changed the settings exactly as they suggested but I
still kept getting that message 10. in desperation rang them to
enquire about paid support but they
told me they would charge £60 (even if it were a 2 minute job!). I
am not prepared to pay that for what is after all a Microsoft's bug !

The only other thing I can think of to do is to not download any
updates for Windows Defender either - assuming the 2 products are
related. However I won't know the outcome of that for another month
since it only happens once a month.
If it is still causing a problem then I can only assume that the
software is already installed and will run once a month anyway
without an update. If that's the case I need to know how to get
into the system files to disable it - surely there must be a way ??

Any help you can think of to give me would be very much appreciated
- I am certainly trying to fix it myself without asking anyone and
have spent many hours doing so, but I am at a dead end!

For info I am running Windows XP Home, SP3, with AVG and ZA.

Many thanks for your help.




  #35  
Old October 15th 09, 07:21 PM posted to microsoft.public.windowsxp.security_admin
profile settings corrupted every month
external usenet poster
 
Posts: 1
Default malicious software removal tool

Hello again - not sure if you are still willing to help me ? An update : i
did not download any of the security updates this week, however today it
displayed exactly the same problem on the same date. However i did not do a
system restore this time, i booted in safe mode, found the settings were
still there then booted back normally and the settings returned. This seems
not to be a download problem but something on my system that runs on 15th.
i looked at event log (though i don't really understand much of it) and am
pasting a few things that might be relevant at the time i switched the
computer on.


Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1502
Date: 15/10/2009
Time: 14:02:22
User: NT AUTHORITY\SYSTEM
Computer: S2N7O9
Description:
Windows cannot load the locally stored profile. Possible causes of this
error include insufficient security rights or a corrupt local profile. If
this problem persists, contact your network administrator.

DETAIL - The process cannot access the file because it is being used by
another process.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1508
Date: 15/10/2009
Time: 14:02:12
User: NT AUTHORITY\SYSTEM
Computer: S2N7O9
Description:
Windows was unable to load the registry. This is often caused by
insufficient memory or insufficient security rights.

DETAIL - The process cannot access the file because it is being used by
another process. for C:\Documents and Settings\Ian\ntuser.dat

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 15/10/2009
Time: 13:57:15
User: N/A
Computer: S2N7O9
Description:
The following boot-start or system-start driver(s) failed to load:
szkg

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I have tried to find ian/ntuser.dat but it can't display it becuase its in
use ?
i am also about to delete the registry entries for szkg, which some entries
on google say is malware.

does any of this help?
(still grateful for any help, still trying to fix it myself by blundering
about.....)

"1PW" wrote:

lopar wrote:
Good news is that i have just downloaded KB915597 and no probs. If its
defender related then its not all defender updates. Won't know until 15th..It
sounds like you are running out of ideas to help further....


You have related what amounts to permanent damage. I'm afraid nobody
has real solutions for what you reported.

perhaps the
next step is to await 15 October therefore and see what happens then.
Thanks for your continued support.
Pl page down for other comments on your post.


I suppose if you are willing to live with the state of your system for
an indefinite time, then the status quo might leave you without some
safety features.


"1PW" wrote:

lopar wrote:
ok ran sas in safe mode, nothing except cookies found.. reran mwb and nothing
at all found.
ran search in explorer for cbs.log but nothing found with that name. search
included system files hidden folders and sub folders ??
did you see the mwb log i posted ?
I believe a reboot deletes the cbs.log file unless it's renamed before
the deletion occurs.

MBAM

Yes - I saw two Trojans and you also related the download3000 thing.
I was hoping for a better outcome. However, the other things you have
mentioned along the way leads me to believe that more serious damage
has taken place.

very cryptic - like, what sort of damage?


Directories that are now capitalized as if they were recreated.

i take it you advise me to uninstall the s/saver ? Is there any way to
retain it and fix the problem ?


Anything from download3000 is potentially very dangerous.


If the malware removals by MBAM and Shenan Stanley's cleanup procedure
do not eliminate your repeating trouble, I believe a "Flatten and
Rebuild" procedure is the next reasonable step.

don't know what flatten and rebuild is but it sounds hideous.....
as i said, Shenan's comments, whilst appreciated, may be a step too far for
me. I only get an hour or so between work and family commitments to do this
stuff - his "8 to 10 hours" post would be a big deal for me and would be
warranted only if there was a major system problem. At the moment, unless
there is something you are not telling me, its just an 'irritation' having to
restore so often. That is certainly not to say that his and your help isn't
welcome though.


I apologize for the overuse of jargon. Flatten & Rebuild is the
process of using your original install media (your CDs) to preform a
format of your system's hard disk drive. Effectively this erases
*everything* that ever was there. Then an entirely new system is
built from your install/recovery media.

--
1PW

  #36  
Old October 15th 09, 08:16 PM posted to microsoft.public.windowsxp.security_admin
Jim[_30_]
external usenet poster
 
Posts: 812
Default malicious software removal tool

Accoding to File.net, szkg.sys belongs to StopZilla!. If you don't have /
have never had this program on your computer, you still have malware.
Szkg.sys is not a core Windows program.

C:\Documents and Settings\Ian\ntuser.dat is a hidden file. User ian must
have access to this file because it is the user portion of the registry. A
way to investigate this particular problem is by using Process Explorer.
Search for all programs which have a handle on the subject file.

Jim



"profile settings corrupted every month" profile settings corrupted every
wrote in message
...
Hello again - not sure if you are still willing to help me ? An update :
i
did not download any of the security updates this week, however today it
displayed exactly the same problem on the same date. However i did not do
a
system restore this time, i booted in safe mode, found the settings were
still there then booted back normally and the settings returned. This
seems
not to be a download problem but something on my system that runs on 15th.
i looked at event log (though i don't really understand much of it) and am
pasting a few things that might be relevant at the time i switched the
computer on.


Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1502
Date: 15/10/2009
Time: 14:02:22
User: NT AUTHORITY\SYSTEM
Computer: S2N7O9
Description:
Windows cannot load the locally stored profile. Possible causes of this
error include insufficient security rights or a corrupt local profile. If
this problem persists, contact your network administrator.

DETAIL - The process cannot access the file because it is being used by
another process.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1508
Date: 15/10/2009
Time: 14:02:12
User: NT AUTHORITY\SYSTEM
Computer: S2N7O9
Description:
Windows was unable to load the registry. This is often caused by
insufficient memory or insufficient security rights.

DETAIL - The process cannot access the file because it is being used by
another process. for C:\Documents and Settings\Ian\ntuser.dat

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7026
Date: 15/10/2009
Time: 13:57:15
User: N/A
Computer: S2N7O9
Description:
The following boot-start or system-start driver(s) failed to load:
szkg

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I have tried to find ian/ntuser.dat but it can't display it becuase its in
use ?
i am also about to delete the registry entries for szkg, which some
entries
on google say is malware.

does any of this help?
(still grateful for any help, still trying to fix it myself by blundering
about.....)

"1PW" wrote:

lopar wrote:
Good news is that i have just downloaded KB915597 and no probs. If its
defender related then its not all defender updates. Won't know until
15th..It
sounds like you are running out of ideas to help further....


You have related what amounts to permanent damage. I'm afraid nobody
has real solutions for what you reported.

perhaps the
next step is to await 15 October therefore and see what happens then.
Thanks for your continued support.
Pl page down for other comments on your post.


I suppose if you are willing to live with the state of your system for
an indefinite time, then the status quo might leave you without some
safety features.


"1PW" wrote:

lopar wrote:
ok ran sas in safe mode, nothing except cookies found.. reran mwb and
nothing
at all found.
ran search in explorer for cbs.log but nothing found with that name.
search
included system files hidden folders and sub folders ??
did you see the mwb log i posted ?
I believe a reboot deletes the cbs.log file unless it's renamed before
the deletion occurs.

MBAM

Yes - I saw two Trojans and you also related the download3000 thing.
I was hoping for a better outcome. However, the other things you have
mentioned along the way leads me to believe that more serious damage
has taken place.

very cryptic - like, what sort of damage?


Directories that are now capitalized as if they were recreated.

i take it you advise me to uninstall the s/saver ? Is there any way to
retain it and fix the problem ?


Anything from download3000 is potentially very dangerous.


If the malware removals by MBAM and Shenan Stanley's cleanup procedure
do not eliminate your repeating trouble, I believe a "Flatten and
Rebuild" procedure is the next reasonable step.

don't know what flatten and rebuild is but it sounds hideous.....
as i said, Shenan's comments, whilst appreciated, may be a step too far
for
me. I only get an hour or so between work and family commitments to do
this
stuff - his "8 to 10 hours" post would be a big deal for me and would
be
warranted only if there was a major system problem. At the moment,
unless
there is something you are not telling me, its just an 'irritation'
having to
restore so often. That is certainly not to say that his and your help
isn't
welcome though.


I apologize for the overuse of jargon. Flatten & Rebuild is the
process of using your original install media (your CDs) to preform a
format of your system's hard disk drive. Effectively this erases
*everything* that ever was there. Then an entirely new system is
built from your install/recovery media.

--
1PW




 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 06:33 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.