unable to Update MBAM/SAS- run ESET online

[scrd01]

Hi Dave,

Curious this, duplicate problem 1XPC, 1X laptop

Story so far,

Updated/scanned My PC last week no problem.

WIFE

was on laptop during week and appeared to get lots off machine code pop-up on her laptop, she didnt tell me until she got a second lot while i was sat next to her and then she told me about the other lot.

So par for the course went to update and run, AV and antispyware

Mbam, 42 days old, update went into loop.

SAS, Update failed on stage 5 Definitions Failed to update.

ESET on line scan- 3 attempts before got to start error code 3,

next step fails with definition update code 2002

IobitAV(pro) and windows defender ran clean,

NB something turned of WD

So ok rebooted to safe mode ran old versions off Mbam/SAS, both came back clean.

 

ME,

I now have identical problem with Mbam/SAS/Eset.

my Mbam/SAS, is only 6 days out of date,

ran TFC

ALL my scans came back clean, MBAM/SAS/WD/IMF/IobitAV.

Took me 3 attempts to download DDS, folder permissions error, part dowload

reports attached.

 

Downloaded and ran Combofix report attached,

from the error report i reset my modem, re hosts file error.

 

still same problem.

 

I have given you my reports as there is much less to go thru as the problem seems to be the same.

 

Thanks in advance

 

Roy

[scrd01]

More info

 

Hi Dave,

 

Bit more info, wifes laptop appears to have a slight problem with a couple of her games no other apparent problems.

 

Mine seems to running smoothly apart from AV/AS updates.

note when i ran Cfix it told me IobitAV was still running but id turned it off,

red marker on av icon.

Roy

[scrd01]

Iobit av

 

Hi dave,

Just tried to download latest version of av(3X), got error message

source file is corrupted.

 

Roy

[Superdave]

I see you are running Poker Stars. Poker Stars has a history of distributing spyware in their products. However, security experts still question this program as good or bad. I recommend to remove it to prevent spyware, but it is up to you to decide if you want to keep it.

 

If you would like to uninstall it, do so as follows:

 

Press Start, and navigate to the Control Panel. When in the control panel enter Add or Remove programs. Search for and locate PokerStars, and either click Change/Remove or Remove.

*******************************************************

Please download aswMBR.exe ( 511KB ) to your desktop.

 

Double click the aswMBR.exe to run it

 

http://i424.photobucket.com/albums/pp322/digistar/aswMBR_Scan.jpg

 

Click the "Scan" button to start scan

 

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

 

http://i424.photobucket.com/albums/pp322/digistar/aswMBR_SaveLog.png

 

On completion of the scan click save log, save it to your desktop and post in your next reply

******************************************************

Download Security Check by screen317 from one of the following links and save it to your desktop.

 

Link 1

Link 2

 

* Double-click Security Check.bat

* Follow the on-screen instructions inside of the black box.

* A Notepad document should open automatically called checkup.txt

* Post the contents of that document in your next reply.

 

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[scrd01]

more reports

 

Hi dave,

reports attached, havw removed poker stars, but not on other comp.

 

thanks roy

[scrd01]

more info re 319

 

hi again Dave,

should mention that IE, is turned OFF, hence out of date

 

Roy

[Superdave]

should mention that IE, is turned OFF, hence out of date.

You should however, keep it updated. Malware just love out-of-date programs.

 

Download Combofix from any of the links below, and save it to your DESKTOP.

 

Link 1

Link 2

Link 3

 

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
   
  You will see the following image:
  

http://i424.photobucket.com/albums/pp322/digistar/NSIS_disclaimer_ENG.png

 

Click I Agree to start the program.

 

ComboFix will then extract the necessary files and you will see this:

 

http://i424.photobucket.com/albums/pp322/digistar/NSIS_extraction.png

 

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

 

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

 

If you did not have it installed, you will see the prompt below. Choose YES.

 

http://i424.photobucket.com/albums/pp322/digistar/RcAuto1.gif

 

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

 

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

http://i424.photobucket.com/albums/pp322/digistar/whatnext.png

 

Click on Yes, to continue scanning for malware.

 

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

 

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

 

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

[scrd01]

more info

 

Hi Dave,

progress report

 

Managed to update and run Mbam > clean

stilll unable to update

SAS & IobitAV (todays updated version

Eset stage 1 good

stage 2 fails on Cannot get update is proxy configured

 

Note my ISP now uses 194.168.0.1.

 

running Cfix now

 

Roy

[scrd01]

combofix log2

 

Hi Dave,

log attached, plus more info

 

After running CF, went to open Firefox and got the following

 

C programfiles MozillaFirefox Firefox.exe

Illegal operation attempted on a registry key marked for deletion.

would you like to delete this(or words to that effect)

I DID NOT

so rebooted

and was able to open firefox, but with the message

Firefox is not currently set as your preffered browser would you like to change this. Is this a clue?

 

1 more point for you to add in your Cfix instructions

If you are running IMF, you may get a popup asking you to allow Cfix to make registry changes please do so QUICKLY

 

 

Roy

[scrd01]

oops forgot log

 

OHHH how silly of me

 

Roy

[Superdave]

Firefox is not currently set as your preffered browser would you like to change this. Is this a clue?

No.

 

SysProt Antirootkit

 

Download

SysProt Antirootkit from the link below (you will find it at the bottom

of the page under attachments, or you can get it from one of the

mirrors).

 

http://sites.google.com/site/sysprotantirootkit/

 

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
  
• In the Write to log box select the following items.
  
  • Process << Selected
    
  • Kernel Modules << Selected
    
  • SSDT << Selected
    
  • Kernel Hooks << Selected
    
  • IRP Hooks << NOT Selected
    
  • Ports << NOT Selected
    
  • Hidden Files << Selected
    

  [*]At the bottom of the page

  • Hidden Objects Only << Selected
    

  [*]Click on the Create Log button on the bottom right.

  [*]After a few seconds a new window should appear.

  [*]Select Scan Root Drive. Click on the Start button.

  [*]When it is complete a new window will appear to indicate that the scan is finished.

  [*]The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[scrd01]

sysprot

 

Hi Dave,

log enclosed, had some fun trying to attach and copy the log, won in the end.

 

roy

 

[EDIT] by Mel. You are doing great! This is a deep and nasty one.

[Superdave]

Sorry for being so late.

 

ESET Online Scan

 

Scan your computer with the ESET FREE Online Virus Scan

 

* Click the ESET Online Scanner button.

 

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop

* Double click on the esetsmartinstaller_enu.exe icon on your desktop.

* Place a check mark next to YES, I accept the Terms of Use.

 

* Click the Start button.

* Accept any security warnings from your browser.

* Leave the check mark next to Remove found threats and place a check next to Scan archives.

* Click the Start button.

* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.

* When the scan completes, click List of found threats.

* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.

* Click the Back button then click Finish.

 

In your next reply please include the ESET Online Scan Log

[scrd01]

Eset more info

 

Hi Dave,

finally managed to run Eset online after renaming it, came back clean.

 

Current status of other antiMalware.

 

Windows Defender upto date and running last scan yesterday > clean

ASC

AV outdated unable to update via GUI or download latest version

IMF outdated unable to update via GUI or download latest version

both full scans came back clean yesterday

MalwareBytes outdated unable to update, still looping

SuperantiSpyware outdated unable to update fails stage 5.

 

A bit of bad/good news

ASC beta 6 unable to upgrade to latest version

BUT it found a misleading item the others didnt

HKCU\Software\VB and VBA program settings,

I've let it alone for the time being as it might be a False/Positive

[scrd01]

MS online scanner

 

Hi Dave,

thought id try the MS online scanner, got the reply i expected, error occured, but i looked into the debug and the error code said Unsigned file,

digging further, properties> digital signatures> details, signature invalid>

view certificate, the digital signature of the object did not verify> Install certificate>installed.

STILL failed

 

something is obviously changing the signature validation.

 

Roy

[Superdave]

To uninstall ComboFix

 

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

 

http://i424.photobucket.com/albums/pp322/digistar/Combofix_uninstall_image.jpg

 

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

 

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

***********************************************

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

 

Double-click TFC.exe to run it.

 

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

 

TFC will close all programs when run, so make sure you have saved all your work before you begin.

 

* Click the Start button to begin the cleaning process.

* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.

* Please let TFC run uninterrupted until it is finished.

 

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

****************************************************

Go to Microsoft Windows Update and get all critical updates.

 

----------

 

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

 

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.

* Using SpywareBlaster to protect your computer from Spyware and Malware

* If you don't know what ActiveX controls are, see here

 

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

 

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

 

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.

Safe Surfing!

[scrd01]

follow up

 

Hi Dave

Thanks for all your help.

Regarding your comment RE out of date programmes,IE8 in my case.

I tried to d/load IE9, guess what would let me.

So i went

Control panel>internet properties>content>certificates>Untrusted publishers.

and found masses of them including MS and mozilla.

So now im gonna have fun mucking around with these.

 

Roy

[scrd01]

AND everybody lived happily ever after

 

Hi Dave,

Ended up restoring from disk, failed again, yesterday,

Then AFTER id downloaded 124 updates,

EVERYTHING IS WORKING FINE.

 

Thanks for all your efforts

 

Roy

[Superdave]

Hi Dave,

Ended up restoring from disk, failed again, yesterday,

Then AFTER id downloaded 124 updates,

EVERYTHING IS WORKING FINE.

 

Thanks for all your efforts

 

Roy

 

You're welcome. Sometimes a reformat is the best answer.