malicious software removal tool

lopar wrote:
OK thanks but its definitely not there, caps or not. now i'm stuck

Have you run chkdsk yet?

Have you run sfc /scannow yet?

--
1PW

yes i saw the corruption on 15 this month.
i know about chkdsk and can run that if you think i shoudl but not heard of
the sfc one - can you tell me how to do that ?

"1PW" wrote:

lopar wrote:
OK thanks but its definitely not there, caps or not. now i'm stuck

Have you run chkdsk yet?

Have you run sfc /scannow yet?

--
1PW

lopar wrote:
yes i saw the corruption on 15 this month.
i know about chkdsk and can run that if you think i should but not heard of
the sfc one - can you tell me how to do that ?

System File Checker:

http://support.microsoft.com/kb/310747

Have your Microsoft installation CD mounted in your CD/DVD drive, then
from a command prompt: sfc /scannow


Q: Have you written in a previous post that you checked "Scheduled
Tasks" and that nothing is seen that corresponds to the 15th of the month?

--
1PW

Latest thoughts/activity: since there is no mrt file it can't be running
automatically, therefore the problem is related to a download. ? link to za
? have manually downloaded the defender updates now from this link
https://www.microsoft.com/security/p...?wa=wsignin1.0
and no effect, therefore its something to do with automatic downloads.
(incidentally, i have to use this link to get updates to defender since the
update tool in defender doesn't work - it tells me there are no updates
available even when there is an icon in the sys tray telling me there are
updates. this might therefore be relevant).
therefore i won't donwload next automatic update and see if problem recurs
on 15/10. if it does there is something running on the mahine. if it
doesn't then theory confirmed, get the specific KB download manually, recheck
for problem, if it occurs do system restore to before the download then get
that specific KB update again but with disabled za (disable rather than
uninstall) and see if that works.
are you good with this logic ?

answers to your questions
1. have now run chkdsk and no probs
2. have checked scheduled tasks and nothing with that date in
3. will get sfc tomorrow (don't know where you are writing from but its 4.30
am in uk and i'm tired !

thanks for your patience......
"1PW" wrote:

lopar wrote:
yes i saw the corruption on 15 this month.
i know about chkdsk and can run that if you think i should but not heard of
the sfc one - can you tell me how to do that ?

System File Checker:

http://support.microsoft.com/kb/310747

Have your Microsoft installation CD mounted in your CD/DVD drive, then
from a command prompt: sfc /scannow


Q: Have you written in a previous post that you checked "Scheduled
Tasks" and that nothing is seen that corresponds to the 15th of the month?

--
1PW

lopar wrote:
Latest thoughts/activity: since there is no mrt file it can't be running
automatically, therefore the problem is related to a download. ? link to za
? have manually downloaded the defender updates now from this link
https://www.microsoft.com/security/p...?wa=wsignin1.0
and no effect, therefore its something to do with automatic downloads.
(incidentally, i have to use this link to get updates to defender since the
update tool in defender doesn't work - it tells me there are no updates
available even when there is an icon in the sys tray telling me there are
updates. this might therefore be relevant).

This can be resolved later with a post to:

microsoft.private.security.spyware.general (Windows Defender Specific
Newsgroup)

therefore i won't download next automatic update and see if problem recurs
on 15/10. if it does there is something running on the machine. if it
doesn't then theory confirmed, get the specific KB download manually, recheck
for problem, if it occurs do system restore to before the download then get
that specific KB update again but with disabled za (disable rather than
uninstall) and see if that works.
are you good with this logic ?

My gut feeling says the trouble is elsewhere but where I don't know
yet. You won't harm your system from what I read and you'll learn
something.

answers to your questions
1. have now run chkdsk and no probs

Excellent.

2. have checked scheduled tasks and nothing with that date in

Drat!

3. will get sfc tomorrow (don't know where you are writing from but its 4.30
am in uk and i'm tired !

I understand.

In the US, I'm a third of the world away from you, but I'm up anyway.
Obey the call of Morpheus.

thanks for your patience......

You are very welcome.

I was hoping you could find time to follow Shenan Stanley's suggestions.

Honestly, after that, the best move may be a "Flatten & Rebuild" but
we can still check a few more things before then.

--
1PW

i have had another thought, which i hope is not a source of great irritation
to you because i have only just thought if it.
the corruption only occurs on my profile - there are 4 profiles on the
system, 3 of which have admin rights inc mine (though no one else in the
house does any system stuff or downloads). this realisation made me think
about what the differences are between the profiles and the only difference
is that mine has a non standard MS product on it - a screensaver
http://www.download3000.com/download_45524.html
it is available to all users but only activated on mine. plus i installed
it in May and have been encountering this problem for about 4 or 5 months (so
about right).
is it possible then that there is some weird interaction going on between
the s/saver and the defender /mrt updates (which are the only ones seeming to
cause the problem)? if so is it possible to keep the s/saver (which is
really rather nice) and also fix the problem do you think ?

i have also now run malwarebytes and it found a few things inc a trojan.
didn't look significant, but i wouldn't know....

on Stanley's sugestions, very comprehensive and welcome, however a last
reort for me, partly because it looks like they would take 2 or 3 days to
work thru and partly because they seem to involve uninstalling a lot of
products and updates, and for a relatively inexperienced user like me (i am
guessing you have a sense of where i am experience wise by now) this makes me
nervous.

"1PW" wrote:

lopar wrote:
Latest thoughts/activity: since there is no mrt file it can't be running
automatically, therefore the problem is related to a download. ? link to za
? have manually downloaded the defender updates now from this link
https://www.microsoft.com/security/p...?wa=wsignin1.0
and no effect, therefore its something to do with automatic downloads.
(incidentally, i have to use this link to get updates to defender since the
update tool in defender doesn't work - it tells me there are no updates
available even when there is an icon in the sys tray telling me there are
updates. this might therefore be relevant).

This can be resolved later with a post to:

microsoft.private.security.spyware.general (Windows Defender Specific
Newsgroup)

therefore i won't download next automatic update and see if problem recurs
on 15/10. if it does there is something running on the machine. if it
doesn't then theory confirmed, get the specific KB download manually, recheck
for problem, if it occurs do system restore to before the download then get
that specific KB update again but with disabled za (disable rather than
uninstall) and see if that works.
are you good with this logic ?

My gut feeling says the trouble is elsewhere but where I don't know
yet. You won't harm your system from what I read and you'll learn
something.

answers to your questions
1. have now run chkdsk and no probs

Excellent.

2. have checked scheduled tasks and nothing with that date in

Drat!

3. will get sfc tomorrow (don't know where you are writing from but its 4.30
am in uk and i'm tired !

I understand.

In the US, I'm a third of the world away from you, but I'm up anyway.
Obey the call of Morpheus.

thanks for your patience......

You are very welcome.

I was hoping you could find time to follow Shenan Stanley's suggestions.

Honestly, after that, the best move may be a "Flatten & Rebuild" but
we can still check a few more things before then.

--
1PW

snipped

lopar wrote:
snipped
on Stanley's sugestions, very comprehensive and welcome, however a
last reort for me, partly because it looks like they would take 2
or 3 days to work thru and partly because they seem to involve
uninstalling a lot of products and updates, and for a relatively
inexperienced user like me (i am guessing you have a sense of where
i am experience wise by now) this makes me nervous.

About 8-10 hours - if you don't pay close attention to it.

It's not complicated, it's not dangerous. Everything I suggested is fairly
safe - especially if done in the order given.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

was there anything on my last post - where i talk about the screensaver ? i
typed it once, lost it then typed it again, but its looking blank from this
end ?
i have also just run sfc, it didn't give me any info, so i assume all ok.

"1PW" wrote:

lopar wrote:
Latest thoughts/activity: since there is no mrt file it can't be running
automatically, therefore the problem is related to a download. ? link to za
? have manually downloaded the defender updates now from this link
https://www.microsoft.com/security/p...?wa=wsignin1.0
and no effect, therefore its something to do with automatic downloads.
(incidentally, i have to use this link to get updates to defender since the
update tool in defender doesn't work - it tells me there are no updates
available even when there is an icon in the sys tray telling me there are
updates. this might therefore be relevant).

This can be resolved later with a post to:

microsoft.private.security.spyware.general (Windows Defender Specific
Newsgroup)

therefore i won't download next automatic update and see if problem recurs
on 15/10. if it does there is something running on the machine. if it
doesn't then theory confirmed, get the specific KB download manually, recheck
for problem, if it occurs do system restore to before the download then get
that specific KB update again but with disabled za (disable rather than
uninstall) and see if that works.
are you good with this logic ?

My gut feeling says the trouble is elsewhere but where I don't know
yet. You won't harm your system from what I read and you'll learn
something.

answers to your questions
1. have now run chkdsk and no probs

Excellent.

2. have checked scheduled tasks and nothing with that date in

Drat!

3. will get sfc tomorrow (don't know where you are writing from but its 4.30
am in uk and i'm tired !

I understand.

In the US, I'm a third of the world away from you, but I'm up anyway.
Obey the call of Morpheus.

thanks for your patience......

You are very welcome.

I was hoping you could find time to follow Shenan Stanley's suggestions.

Honestly, after that, the best move may be a "Flatten & Rebuild" but
we can still check a few more things before then.

--
1PW

lopar wrote:
was there anything on my last post - where i talk about the screensaver ? i
typed it once, lost it then typed it again, but its looking blank from this
end ?

That's strange.

i have also just run sfc, it didn't give me any info, so i assume all ok.

Check the "cbs.log" carefully.


"1PW" wrote:

lopar wrote:
Latest thoughts/activity: since there is no mrt file it can't be running
automatically, therefore the problem is related to a download. ? link to za
? have manually downloaded the defender updates now from this link
https://www.microsoft.com/security/p...?wa=wsignin1.0
and no effect, therefore its something to do with automatic downloads.
(incidentally, i have to use this link to get updates to defender since the
update tool in defender doesn't work - it tells me there are no updates
available even when there is an icon in the sys tray telling me there are
updates. this might therefore be relevant).
This can be resolved later with a post to:

microsoft.private.security.spyware.general (Windows Defender Specific
Newsgroup)

therefore i won't download next automatic update and see if problem recurs
on 15/10. if it does there is something running on the machine. if it
doesn't then theory confirmed, get the specific KB download manually, recheck
for problem, if it occurs do system restore to before the download then get
that specific KB update again but with disabled za (disable rather than
uninstall) and see if that works.
are you good with this logic ?
My gut feeling says the trouble is elsewhere but where I don't know
yet. You won't harm your system from what I read and you'll learn
something.

answers to your questions
1. have now run chkdsk and no probs
Excellent.

2. have checked scheduled tasks and nothing with that date in
Drat!

3. will get sfc tomorrow (don't know where you are writing from but its 4.30
am in uk and i'm tired !
I understand.

In the US, I'm a third of the world away from you, but I'm up anyway.
Obey the call of Morpheus.

thanks for your patience......
You are very welcome.

I was hoping you could find time to follow Shenan Stanley's suggestions.

Honestly, after that, the best move may be a "Flatten & Rebuild" but
we can still check a few more things before then.

--
1PW



--
1PW

lopar wrote:
i have had another thought, which i hope is not a source of great irritation
to you because i have only just thought if it.
the corruption only occurs on my profile - there are 4 profiles on the
system, 3 of which have admin rights inc mine (though no one else in the
house does any system stuff or downloads). this realisation made me think
about what the differences are between the profiles and the only difference
is that mine has a non standard MS product on it - a screensaver
hXXp://www . download3000 . c om/download_45524.html

This too, AND that site, is very bad news indeed!

it is available to all users but only activated on mine. plus i installed
it in May and have been encountering this problem for about 4 or 5 months (so
about right).
is it possible then that there is some weird interaction going on between
the s/saver and the defender /mrt updates (which are the only ones seeming to
cause the problem)? if so is it possible to keep the s/saver (which is
really rather nice) and also fix the problem do you think ?

i have also now run malwarebytes and it found a few things inc a trojan.
didn't look significant, but i wouldn't know....

This /is/ serious of course! The fact that you were asked to run MBAM
four days ago doesn't help. Now. With the greatest precision, open
the MBAM log and cut/paste the relevant infection information only,
into a reply to this thread.

Download, install, launch, and *UPDATE*, SAS. Then reboot into "Safe
Mode" and only then, scan your system with SAS. Then reboot back to
normal mode.

Repeat the MBAM scan with the latest updates again.

on Stanley's suggestions, very comprehensive and welcome, however a last
resort for me, partly because it looks like they would take 2 or 3 days to
work thru and partly because they seem to involve uninstalling a lot of
products and updates, and for a relatively inexperienced user like me (i am
guessing you have a sense of where i am experience wise by now) this makes me
nervous.

The devil is in the details!

--
1PW

i'm sorry i don't know how to access the cbs.log?

"1PW" wrote:

lopar wrote:
was there anything on my last post - where i talk about the screensaver ? i
typed it once, lost it then typed it again, but its looking blank from this
end ?

That's strange.

i have also just run sfc, it didn't give me any info, so i assume all ok.

Check the "cbs.log" carefully.


"1PW" wrote:

lopar wrote:
Latest thoughts/activity: since there is no mrt file it can't be running
automatically, therefore the problem is related to a download. ? link to za
? have manually downloaded the defender updates now from this link
https://www.microsoft.com/security/p...?wa=wsignin1.0
and no effect, therefore its something to do with automatic downloads.
(incidentally, i have to use this link to get updates to defender since the
update tool in defender doesn't work - it tells me there are no updates
available even when there is an icon in the sys tray telling me there are
updates. this might therefore be relevant).
This can be resolved later with a post to:

microsoft.private.security.spyware.general (Windows Defender Specific
Newsgroup)

therefore i won't download next automatic update and see if problem recurs
on 15/10. if it does there is something running on the machine. if it
doesn't then theory confirmed, get the specific KB download manually, recheck
for problem, if it occurs do system restore to before the download then get
that specific KB update again but with disabled za (disable rather than
uninstall) and see if that works.
are you good with this logic ?
My gut feeling says the trouble is elsewhere but where I don't know
yet. You won't harm your system from what I read and you'll learn
something.

answers to your questions
1. have now run chkdsk and no probs
Excellent.

2. have checked scheduled tasks and nothing with that date in
Drat!

3. will get sfc tomorrow (don't know where you are writing from but its 4.30
am in uk and i'm tired !
I understand.

In the US, I'm a third of the world away from you, but I'm up anyway.
Obey the call of Morpheus.

thanks for your patience......
You are very welcome.

I was hoping you could find time to follow Shenan Stanley's suggestions.

Honestly, after that, the best move may be a "Flatten & Rebuild" but
we can still check a few more things before then.

--
1PW



--
1PW

here we are

Malwarebytes' Anti-Malware 1.41
Database version: 2818
Windows 5.1.2600 Service Pack 3

18/09/2009 09:17:13
mbam-log-2009-09-18 (09-17-13).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 263880
Time elapsed: 2 hour(s), 30 minute(s), 43 second(s)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca}
(Adware.MyWebSearch) - Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6}
(Rogue.DriveCleaner) - Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Seekapp
(Adware.SeekApp) - Quarantined and deleted successfully.
C:\Program Files\Seekapp (Adware.SeekApp) - Quarantined and deleted
successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\cnkgtz_nav.dat (Adware.NaviPromo) - Quarantined and
deleted successfully.
C:\WINDOWS\hosts (Trojan.Agent) - Quarantined and deleted successfully.

i already have superantispyware and run it regulalry, however will rerun in
safe mode and let you know.

"1PW" wrote:

lopar wrote:
i have had another thought, which i hope is not a source of great irritation
to you because i have only just thought if it.
the corruption only occurs on my profile - there are 4 profiles on the
system, 3 of which have admin rights inc mine (though no one else in the
house does any system stuff or downloads). this realisation made me think
about what the differences are between the profiles and the only difference
is that mine has a non standard MS product on it - a screensaver
hXXp://www . download3000 . c om/download_45524.html

This too, AND that site, is very bad news indeed!

it is available to all users but only activated on mine. plus i installed
it in May and have been encountering this problem for about 4 or 5 months (so
about right).
is it possible then that there is some weird interaction going on between
the s/saver and the defender /mrt updates (which are the only ones seeming to
cause the problem)? if so is it possible to keep the s/saver (which is
really rather nice) and also fix the problem do you think ?

i have also now run malwarebytes and it found a few things inc a trojan.
didn't look significant, but i wouldn't know....

This /is/ serious of course! The fact that you were asked to run MBAM
four days ago doesn't help. Now. With the greatest precision, open
the MBAM log and cut/paste the relevant infection information only,
into a reply to this thread.

Download, install, launch, and *UPDATE*, SAS. Then reboot into "Safe
Mode" and only then, scan your system with SAS. Then reboot back to
normal mode.

Repeat the MBAM scan with the latest updates again.

on Stanley's suggestions, very comprehensive and welcome, however a last
resort for me, partly because it looks like they would take 2 or 3 days to
work thru and partly because they seem to involve uninstalling a lot of
products and updates, and for a relatively inexperienced user like me (i am
guessing you have a sense of where i am experience wise by now) this makes me
nervous.

The devil is in the details!

--
1PW

lopar wrote:
i'm sorry i don't know how to access the cbs.log?

Do a search for it. When found, it can be read with Notepad.

--
1PW

ok ran sas in safe mode, nothing except cookies found.. reran mwb and nothing
at all found.
ran search in explorer for cbs.log but nothing found with that name. search
included system files hidden folders and sub folders ??
did you see the mwb log i posted ?

"1PW" wrote:

lopar wrote:
i'm sorry i don't know how to access the cbs.log?

Do a search for it. When found, it can be read with Notepad.

--
1PW

lopar wrote:
ok ran sas in safe mode, nothing except cookies found.. reran mwb and nothing
at all found.
ran search in explorer for cbs.log but nothing found with that name. search
included system files hidden folders and sub folders ??
did you see the mwb log i posted ?

I believe a reboot deletes the cbs.log file unless it's renamed before
the deletion occurs.

MBAM

Yes - I saw two Trojans and you also related the download3000 thing.
I was hoping for a better outcome. However, the other things you have
mentioned along the way leads me to believe that more serious damage
has taken place.

If the malware removals by MBAM and Shenan Stanley's cleanup procedure
do not eliminate your repeating trouble, I believe a "Flatten and
Rebuild" procedure is the next reasonable step.

I do hope you have your system's original install/recovery CDs.


"1PW" wrote:

lopar wrote:
i'm sorry i don't know how to access the cbs.log?
Do a search for it. When found, it can be read with Notepad.

--
1PW



--
1PW