Malwarebytes locates Malware but can't delete it.

October 28, 2012 at 11:49:54
Specs: Windows 7, AMD Athlon II X4 620 / 2.6ghz / 64 bit / 3GB RAM

Malwarebytes found this entry in the registry but can't delete it after restart:

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (PUM.UserWLoad) -> Data: C:\Users\kevvy\LOCALS~1\Temp\msaayorxe.exe -> Delete on reboot.


I have run Hitman Pro but it didn't find it.
Trojan Remover did find it but couldn't delete it either.

Any help would be much appreciated.


See More: Malwarebytes locates Malware but cant delete it.

Report •


#1
October 28, 2012 at 13:04:02

run these 3 free progs in EXACTLY the order listed and DO NOT reboot untill after the last scan
1- rkill.exe
http://www.technibble.com/rkill-rep...
2- tdss killer
http://support.kaspersky.com/faq/?q...
3- malwarebytes
http://www.filehippo.com/download_m...

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#2
October 28, 2012 at 13:29:08

Have followed your instructions exactly as stated XpUser4Real but the entry is still there.

Report •

#3
October 28, 2012 at 13:55:58

Are you sure you spelled the infection correctly?

Now try doing the Same....only this time in safe mode

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

Related Solutions

#4
October 28, 2012 at 15:07:34

message edited reason: no useful spend effords with this guy

Report •

#5
October 28, 2012 at 15:23:29

Lets try this way.

1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

2: Reboot

3: Run ESET & post the log please. This scan may take a very long while, so please be patient. Start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.


Report •

#6
October 29, 2012 at 15:32:30

XpUser4Real: I tried in Safe Mode also and the entry is still there.

To all: The name of the infection was listed by Malwarebytes in their log.
I wondered if it was the malware that changed the name in that path.

RogerSmith: I noticed your link to the Home Made programmes but your instructions are unclear so I was unable to proceed.

Johnw I will try your method tomorrow.

Thanks to all for your advice and time.


Report •

#7
October 30, 2012 at 04:40:57

message edited reason: no useful spend effords with this guy

Report •

#8
October 31, 2012 at 10:08:51

silly question, but did you click the box in malwarebytes to remove it?

:: mike


Report •

#9
October 31, 2012 at 13:29:03

I followed you instructions Johnw. Here is the Eset Log:

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=6ac7450f79a1bd419f5077ed2d5207c4
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-10-24 02:06:29
# local_time=2012-10-24 03:06:29 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1032 16777213 100 91 8807 94244735 0 0
# compatibility_mode=2304 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776574 100 94 34888925 103538441 0 0
# compatibility_mode=8192 67108863 100 0 249 249 0 0
# scanned=306061
# found=2
# cleaned=2
# scan_time=14196
C:\Users\kevvy\AppData\Roaming\Microsoft\Windows\Start Menu\QuickStores.lnk Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\kevvy\Desktop\Tools\Old Firefox Data\user.js JS/SecurityDisabler.A.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=6ac7450f79a1bd419f5077ed2d5207c4
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-10-30 11:53:03
# local_time=2012-10-30 11:53:03 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1032 16777213 100 91 6241 94801560 0 0
# compatibility_mode=2304 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776574 100 94 35445750 104095266 0 0
# compatibility_mode=8192 67108863 100 0 557074 557074 0 0
# scanned=304058
# found=2
# cleaned=2
# scan_time=10967
C:\Users\kevvy\Downloads\Adaware_Installer.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Users\kevvy\Downloads\Seven Thieves (1960) pHOTOSHOP\Seven thieves\Adobe Photoshop CS5 Extended.part1.rar a variant of Win32/HackTool.Patcher.P application (deleted - quarantined) 00000000000000


Report •

#10
October 31, 2012 at 14:14:25

"I followed you instructions Johnw. Here is the Eset Log:"
Thanks spears.

Please copy & paste instructions into a text file, print steps & info. You will need them, as they are hard to remember, for when you are offline.

Note: Is your important stuff backed up, including your emails & address book? Anything can happen, during the clean up.

The badies are always ahead of the goodies, be aware, this can be a very long process, involving many different tools to clean up an infected comp.
Some infections are irremovable.
Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc.
The use of the computer is the primary factor in the decision whether to re-format and re-install, or just disinfect.
http://www.dslreports.com/faq/10063
How to report ID theft, fraud, drive-by installs, hijacking and malware?
http://www.dslreports.com/faq/10451
Change your router password if it is not strong or still uses the default one.
Hack lets intruders sneak into home routers
http://tinyurl.com/4pz64fc
http://compnetworking.about.com/od/...

If you do decide to reinstall, make sure you delete ALL partitions & format to NTFS.
D to Delete the selected partition ( XP )
http://www.blackviper.com/os-instal...
W7 - Click on > Drive options (advanced) Then highlight each partition & hit > Delete.
http://www.blackviper.com/os-instal...
http://www.blackviper.com/os-instal...
Here are some examples of why you delete all partitions.
http://forums.spybot.info/showthrea...
http://forums.whatthetech.com/index...
http://blog.eset.com/2011/10/18/tdl...

As we dismantle the infection bit by bit, that may allow the repeat use of programs, which may in turn pick up more.
Removal of infected parts of the system, may cause other parts to stop working, such as your Internet connection or Services. These then we have to repair.

If any program won't run ( due to the infection ) let me know. Post the log/logs after each run.
Screenshots ( SS ) may also requested, or if you want to illustrate a point yourself, use the uploader.
If any of the logs are too large, upload them to a site of your choosing or, all can be done with this. I use Imgur.com
Image Uploader
http://www.softpedia.com/get/Intern...
http://www.softpedia.com/progScreen...
http://zenden.ws/imageuploader_ru

After each fix or change we make, let me know how the comp is running. Example: Still cannot boot into Normal mode.



Report •

#11
Report •

#12
October 31, 2012 at 15:02:40

Thanks Johnw. Did you discover anything from the Eset Log? I thought I should say before starting your process that my PC/internet works fine and always has. The only item I am aware of is the one Malwarebytes couldn't remove which is according to them PUM potentially unwanted software.

Report •

#13
October 31, 2012 at 15:09:30

Often spears, they are bigger underlying problems. We will now see if that is the case for your comp.

" Did you discover anything from the Eset Log?"
Extract from the ESET log.
# found=2
# cleaned=2
# scan_time=14196
C:\Users\kevvy\AppData\Roaming\Microsoft\Windows\Start Menu\QuickStores.lnk Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\kevvy\Desktop\Tools\Old Firefox Data\user.js JS/SecurityDisabler.A.Gen application (cleaned by deleting - quarantined)


Report •

#14
November 3, 2012 at 07:03:50

Here is the Rogue Killer Report below Johnw.
(It also logged a quarantine Report which i can post if needed)

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : kevvy [Admin rights]
Mode : Scan -- Date : 11/03/2012 13:53:31

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤
[SHELL][SUSP PATH] HKCU\[...]\Windows : Load (C:\Users\kevvy\LOCALS~1\Temp\msaayorxe.exe) -> FOUND
[SHELL][SUSP PATH] HKUS\S-1-5-21-3100955987-3488160046-719567490-1001[...]\Windows : Load (C:\Users\kevvy\LOCALS~1\Temp\msaayorxe.exe) -> FOUND
[TASK][SUSP PATH] {03C21DF5-BF84-4B72-9E6B-06238AD825AC} : C:\Users\Administrator\Desktop\Adobe CS5\Photoshop\Adobe CS5\Set-up.exe -> FOUND
[TASK][SUSP PATH] {39F209B0-5AEF-4DC5-9E79-72A8406663A6} : C:\Windows\system32\pcalua.exe -a "C:\Users\kevvy\Desktop\Internet Download Manager v5.18 Build 8\idm518.exe" -d "C:\Users\kevvy\Desktop\Internet Download Manager v5.18 Build 8" -> FOUND
[TASK][SUSP PATH] {9769EDFB-AEDE-4BF0-8383-B928BA7BD547} : C:\Users\kevvy\Desktop\Progs\Office2003Lite\Office2003Lite-SFX.exe -> FOUND
[TASK][SUSP PATH] {BFBC9F92-1709-4042-99C6-082C1A0D244A} : C:\Users\Administrator\Desktop\Adobe CS5\Photoshop\Adobe CS5\Set-up.exe -> FOUND
[TASK][SUSP PATH] {D2957C80-DDA8-4772-901C-E637E48A25CE} : C:\Users\kevvy\Desktop\Doctor Who - Destiny of the Doctors\DOD.exe -> FOUND
[TASK][SUSP PATH] {DFB36A59-8363-4006-96CA-40A2E3F7AA13} : C:\Windows\system32\pcalua.exe -a C:\Users\kevvy\Desktop\Progs\Office2003Lite\Office2003Lite-SFX.exe -> FOUND
[TASK][SUSP PATH] HPSA Upgrade : C:\ProgramData\Hewlett-Packard\HPSAUpgrade3\HpSAUpgrade.exe -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD32 00AAJS-60M0A SCSI Disk Device +++++
--- User ---
[MBR] c0a3bb0fbd566623c9fe953c77cf26b6
[BSP] 9dc8814c110652bd7d99f3e836158ab6 : Windows Vista/7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 292195 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 598622208 | Size: 12948 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



Report •


Ask Question