41 replies to this topic

[eric012]

Malwarebytes finds Backdoor.Messa.Gen in a number of files (see below). I do a remove all, reboot as directed, and they are still there on the next scan.

I can't find very little info on this. I have searched for the "limewire.exe" files and can't find them anywhere on my drive. Is this a dangerous trojan, a false positive, etc? Any help would be much appreciated. As instructed, the dds files (and the MWB log are attached.


c:\documents and settings\administrator.d620-eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\administrator\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\all users\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\atlanticitadmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\default user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris.sixsigma\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\endeavoradmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\localservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\networkservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\windows\system32\config\systemprofile\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

Attached Files

•  mbam-log-2012-07-31 (10-55-53).txt   4.63K   4 downloads
•  attach.txt   29.35K   4 downloads
•  dds.txt   20.61K   6 downloads

[MrCharlie]

Welcome to the forum.

I highly suggest you uninstall Yontoo 1.10.02

Here's why:
http://www.systemloo...ient_2_dll.html

BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo\YontooIEClient.dll

---------------------------------------------

You haven't fixed anything:

Quote

c:\documents and settings\administrator.d620-eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\administrator\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\all users\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\atlanticitadmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\default user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris.sixsigma\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\endeavoradmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\localservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\networkservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\windows\system32\config\systemprofile\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

MrC

[eric012]

Thanks for your help. I had ran MBAM several times. It always finds the files, I select all and remove selected, than restart (per MBAM instructions). Once I restart, they are there again (see log below. I have not removed and restarted again). I just finished a quickscan, after remove and restart, and they are there again. As I said, I've looked for those limewire.exe files and they are not found on my machine (at least not the way I'm searching). Any ideas what's going on?

Thanks for the advice on Yontoo. I'll see if Spybot S&D can remove it. MBAM does not flag it.

----START MBAM log----


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.31.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
EHarris :: D620-EHARRIS [administrator]

7/31/2012 1:08:43 PM
mbam-log-2012-07-31 (13-33-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 340587
Time elapsed: 24 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 13
c:\documents and settings\administrator.d620-eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\administrator\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\all users\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\atlanticitadmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\default user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris.sixsigma\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\endeavoradmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\localservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\networkservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\windows\system32\config\systemprofile\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

(end)

[eric012]

Here is the logfile, AFTER I do the remove all ......

---START MBAM log---


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.31.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
EHarris :: D620-EHARRIS [administrator]

7/31/2012 1:08:43 PM
mbam-log-2012-07-31 (13-08-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 340587
Time elapsed: 24 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 13
c:\documents and settings\administrator.d620-eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.
c:\documents and settings\administrator\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.
c:\documents and settings\all users\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.
c:\documents and settings\atlanticitadmin\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.
c:\documents and settings\default user\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.
c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.
c:\documents and settings\eharris.sixsigma\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.
c:\documents and settings\eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.
c:\documents and settings\endeavoradmin\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.
c:\documents and settings\localservice\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.
c:\documents and settings\networkservice\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.
c:\documents and settings\user\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.
c:\windows\system32\config\systemprofile\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

(end)

[MrCharlie]

OK, what happens when you run another scan? Is it clean? MrC

[eric012]

You restart and run another quick scan?

[MrCharlie]

Yes, MrC

[eric012]

OK, this is strange. I removed and restarted, ran another quick scan, and it came back clean. Just to check, I restarted again and ran another scan, and low and behold, it's back. When I restarted that second time, I got a message that said windows could not load my local profile. I hard booted, and it loaded OK. One other observation is that it is very slow to fully bring up my desktop. Log follows:


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.31.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
EHarris :: D620-EHARRIS [administrator]

7/31/2012 3:00:18 PM
mbam-log-2012-07-31 (15-28-31)-2ndrun.txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 359728
Time elapsed: 27 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 14
c:\documents and settings\administrator.d620-eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\administrator\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\all users\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\atlanticitadmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\default user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris.sixsigma\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\endeavoradmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\localservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\networkservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\temp\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\windows\system32\config\systemprofile\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

(end)

[MrCharlie]

Please download OTL from one of the links below:
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.
Double click on the icon on your desktop to Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following

  :Files
  c:\documents and settings\administrator.d620-eharris\application data\limewire.exe
  c:\documents and settings\administrator\application data\limewire.exe .
  c:\documents and settings\all users\application data\limewire.exe
  c:\documents and settings\atlanticitadmin\application data\limewire.exe
  c:\documents and settings\default user\application data\limewire.exe
  c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe
  c:\documents and settings\eharris.sixsigma\application data\limewire.exe .
  c:\documents and settings\eharris\application data\limewire.exe
  c:\documents and settings\endeavoradmin\application data\limewire.exe
  c:\documents and settings\localservice\application data\limewire.exe
  c:\documents and settings\networkservice\application data\limewire.exe
  c:\documents and settings\temp\application data\limewire.exe
  c:\documents and settings\user\application data\limewire.exe
  c:\windows\system32\config\systemprofile\application data\limewire.exe
  
  :Commands
  [EMPTYJAVA]
  [emptytemp]
  

• Then click the Run Fix button at the top
  
• Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  
• Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

[eric012]

It did ask me to reboot. When I restarted, the OTL dialog popped up. When I ran it, it popped up the log file in notepad. See below:


All processes killed
========== FILES ==========
File\Folder c:\documents and settings\administrator.d620-eharris\application data\limewire.exe not found.
File\Folder c:\documents and settings\administrator\application data\limewire.exe . not found.
File\Folder c:\documents and settings\all users\application data\limewire.exe not found.
File\Folder c:\documents and settings\atlanticitadmin\application data\limewire.exe not found.
File\Folder c:\documents and settings\default user\application data\limewire.exe not found.
File\Folder c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe not found.
File\Folder c:\documents and settings\eharris.sixsigma\application data\limewire.exe . not found.
File\Folder c:\documents and settings\eharris\application data\limewire.exe not found.
File\Folder c:\documents and settings\endeavoradmin\application data\limewire.exe not found.
File\Folder c:\documents and settings\localservice\application data\limewire.exe not found.
File\Folder c:\documents and settings\networkservice\application data\limewire.exe not found.
File\Folder c:\documents and settings\temp\application data\limewire.exe not found.
File\Folder c:\documents and settings\user\application data\limewire.exe not found.
File\Folder c:\windows\system32\config\systemprofile\application data\limewire.exe not found.
========== COMMANDS ==========

[EMPTYJAVA]

User: administrator

User: Administrator.D620-EHARRIS
->Java cache emptied: 12118713 bytes

User: All Users

User: AtlanticITAdmin

User: Default User

User: eharris
->Java cache emptied: 31633234 bytes

User: eharris.D620-EHARRIS

User: eharris.SIXSIGMA
->Java cache emptied: 28125345 bytes

User: eharris.SIXSIGMA.old

User: EndeavorAdmin

User: LocalService

User: NetworkService

User: TEMP

User: User

Total Java Files Cleaned = 69.00 mb


[EMPTYTEMP]

User: administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

User: Administrator.D620-EHARRIS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 469 bytes
->Java cache emptied: 0 bytes

User: All Users

User: AtlanticITAdmin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 469 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 469 bytes
->Flash cache emptied: 56478 bytes

User: eharris
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes
->Java cache emptied: 0 bytes
->Apple Safari cache emptied: 2929664 bytes
->Flash cache emptied: 195840 bytes

User: eharris.D620-EHARRIS
->Temp folder emptied: 0 bytes

User: eharris.SIXSIGMA
->Temp folder emptied: 3037530 bytes
->Temporary Internet Files folder emptied: 2016887 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 83738711 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 59577 bytes

User: eharris.SIXSIGMA.old
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 469 bytes

User: EndeavorAdmin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 469 bytes

User: LocalService
->Temp folder emptied: 547 bytes
->Temporary Internet Files folder emptied: 33237 bytes

User: NetworkService
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 33237 bytes

User: TEMP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33237 bytes
->Flash cache emptied: 56478 bytes

User: User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 679555 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 62414126 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 148.00 mb


OTL by OldTimer - Version 3.2.55.0 log created on 07312012_154843

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temp\~DF68D5.tmp not found!
File\Folder C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temp\~DFB34A.tmp not found!
File\Folder C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temporary Internet Files\Content.Word\~WRF{9951623B-6D2B-48F0-BA0F-76B4E2AC74DA}.tmp not found!
File\Folder C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temporary Internet Files\Content.Word\~WRS{7EAA3615-FAC8-41FF-8354-1D26A3C18D7A}.tmp not found!
File\Folder C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temporary Internet Files\Content.Word\~WRS{889AE9C2-E317-4484-8F3B-3984BC432850}.tmp not found!
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_82c.dat not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_1600.dat not found!

PendingFileRenameOperations files...
File C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temp\~DF68D5.tmp not found!
File C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temp\~DFB34A.tmp not found!
File C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temporary Internet Files\Content.Word\~WRF{9951623B-6D2B-48F0-BA0F-76B4E2AC74DA}.tmp not found!
File C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temporary Internet Files\Content.Word\~WRS{7EAA3615-FAC8-41FF-8354-1D26A3C18D7A}.tmp not found!
File C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temporary Internet Files\Content.Word\~WRS{889AE9C2-E317-4484-8F3B-3984BC432850}.tmp not found!
File C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_82c.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_1600.dat not found!

Registry entries deleted on Reboot...

[MrCharlie]

Run another scan with Malwarebytes, MrC

[eric012]

Id'd them again. I did remove all, but haven't restarted. Maybe irrelevant, but MBAM crashed on my first attempt at rerunning this time.


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.31.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
EHarris :: D620-EHARRIS [administrator]

7/31/2012 4:30:30 PM
mbam-log-2012-07-31 (16-51-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 360146
Time elapsed: 20 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 14
c:\documents and settings\administrator.d620-eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\administrator\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\all users\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\atlanticitadmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\default user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris.sixsigma\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\endeavoradmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\localservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\networkservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\temp\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\documents and settings\user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.
c:\windows\system32\config\systemprofile\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

(end)

[MrCharlie]

There's something wrong because all those file s are not on the computer according to OTL:

Quote

All processes killed
========== FILES ==========
File\Folder c:\documents and settings\administrator.d620-eharris\application data\limewire.exe not found.
File\Folder c:\documents and settings\administrator\application data\limewire.exe . not found.
File\Folder c:\documents and settings\all users\application data\limewire.exe not found.
File\Folder c:\documents and settings\atlanticitadmin\application data\limewire.exe not found.
File\Folder c:\documents and settings\default user\application data\limewire.exe not found.
File\Folder c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe not found.
File\Folder c:\documents and settings\eharris.sixsigma\application data\limewire.exe . not found.
File\Folder c:\documents and settings\eharris\application data\limewire.exe not found.
File\Folder c:\documents and settings\endeavoradmin\application data\limewire.exe not found.
File\Folder c:\documents and settings\localservice\application data\limewire.exe not found.
File\Folder c:\documents and settings\networkservice\application data\limewire.exe not found.
File\Folder c:\documents and settings\temp\application data\limewire.exe not found.
File\Folder c:\documents and settings\user\application data\limewire.exe not found.
File\Folder c:\windows\system32\config\systemprofile\application data\limewire.exe not found.
========== COMMANDS ==========

=========================================================================================

Please do this........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[eric012]

Combofix log is attached.

Attached Files

•  log.txt   25.89K   6 downloads

[MrCharlie]

Please find this file and upload ot ot VirusTotal for a free scan, let me know the results (just copy back the url)

c:\windows\system32\drivers\tini.sys

http://www.virustotal.com/

MrC

[eric012]

Detection Ratio: 1/40

Antivirus: eSafe
Result: Win32.TrojanHorse

[MrCharlie]

Do you have the url of the scan? MrC

[eric012]

https://www.virustot...sis/1343777334/

I also noticed that ComboFix created a file called ComboFix-quarantined-files.txt. Do you need that?

[MrCharlie]

eric012, on 31 July 2012 - 06:38 PM, said:

https://www.virustot...sis/1343777334/

I also noticed that ComboFix created a file called ComboFix-quarantined-files.txt. Do you need that?

No......


Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[eric012]

What do you mean "Update"?