eric012

Backdoor.Messa.Gen Found, but can't remove

42 posts in this topic

Malwarebytes finds Backdoor.Messa.Gen in a number of files (see below). I do a remove all, reboot as directed, and they are still there on the next scan.

I can't find very little info on this. I have searched for the "limewire.exe" files and can't find them anywhere on my drive. Is this a dangerous trojan, a false positive, etc? Any help would be much appreciated. As instructed, the dds files (and the MWB log are attached.

c:\documents and settings\administrator.d620-eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\administrator\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\all users\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\atlanticitadmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\default user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris.sixsigma\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\endeavoradmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\localservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\networkservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\windows\system32\config\systemprofile\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

mbam-log-2012-07-31 (10-55-53).txt

attach.txt

dds.txt

Share this post


Link to post
Share on other sites

Welcome to the forum.

I highly suggest you uninstall Yontoo 1.10.02

Here's why:

http://www.systemloo...ient_2_dll.html

BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo\YontooIEClient.dll

---------------------------------------------

You haven't fixed anything:

c:\documents and settings\administrator.d620-eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\administrator\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\all users\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\atlanticitadmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\default user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris.sixsigma\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\endeavoradmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\localservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\networkservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\windows\system32\config\systemprofile\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

MrC

Share this post


Link to post
Share on other sites

Thanks for your help. I had ran MBAM several times. It always finds the files, I select all and remove selected, than restart (per MBAM instructions). Once I restart, they are there again (see log below. I have not removed and restarted again). I just finished a quickscan, after remove and restart, and they are there again. As I said, I've looked for those limewire.exe files and they are not found on my machine (at least not the way I'm searching). Any ideas what's going on?

Thanks for the advice on Yontoo. I'll see if Spybot S&D can remove it. MBAM does not flag it.

----START MBAM log----

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.31.10

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

EHarris :: D620-EHARRIS [administrator]

7/31/2012 1:08:43 PM

mbam-log-2012-07-31 (13-33-31).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 340587

Time elapsed: 24 minute(s), 28 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 13

c:\documents and settings\administrator.d620-eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\administrator\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\all users\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\atlanticitadmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\default user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris.sixsigma\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\endeavoradmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\localservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\networkservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\windows\system32\config\systemprofile\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

(end)

Share this post


Link to post
Share on other sites

Here is the logfile, AFTER I do the remove all ......

---START MBAM log---

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.31.10

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

EHarris :: D620-EHARRIS [administrator]

7/31/2012 1:08:43 PM

mbam-log-2012-07-31 (13-08-43).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 340587

Time elapsed: 24 minute(s), 28 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 13

c:\documents and settings\administrator.d620-eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\administrator\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\all users\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\atlanticitadmin\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\default user\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\eharris.sixsigma\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\endeavoradmin\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\localservice\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\networkservice\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\user\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

(end)

Share this post


Link to post
Share on other sites

OK, what happens when you run another scan? Is it clean? MrC

Share this post


Link to post
Share on other sites

You restart and run another quick scan?

Share this post


Link to post
Share on other sites

OK, this is strange. I removed and restarted, ran another quick scan, and it came back clean. Just to check, I restarted again and ran another scan, and low and behold, it's back. When I restarted that second time, I got a message that said windows could not load my local profile. I hard booted, and it loaded OK. One other observation is that it is very slow to fully bring up my desktop. Log follows:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.31.10

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

EHarris :: D620-EHARRIS [administrator]

7/31/2012 3:00:18 PM

mbam-log-2012-07-31 (15-28-31)-2ndrun.txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 359728

Time elapsed: 27 minute(s), 12 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 14

c:\documents and settings\administrator.d620-eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\administrator\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\all users\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\atlanticitadmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\default user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris.sixsigma\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\endeavoradmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\localservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\networkservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\temp\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\windows\system32\config\systemprofile\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

(end)

Share this post


Link to post
Share on other sites

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop to Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
    c:\documents and settings\administrator.d620-eharris\application data\limewire.exe
    c:\documents and settings\administrator\application data\limewire.exe .
    c:\documents and settings\all users\application data\limewire.exe
    c:\documents and settings\atlanticitadmin\application data\limewire.exe
    c:\documents and settings\default user\application data\limewire.exe
    c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe
    c:\documents and settings\eharris.sixsigma\application data\limewire.exe .
    c:\documents and settings\eharris\application data\limewire.exe
    c:\documents and settings\endeavoradmin\application data\limewire.exe
    c:\documents and settings\localservice\application data\limewire.exe
    c:\documents and settings\networkservice\application data\limewire.exe
    c:\documents and settings\temp\application data\limewire.exe
    c:\documents and settings\user\application data\limewire.exe
    c:\windows\system32\config\systemprofile\application data\limewire.exe

    :Commands
    [EMPTYJAVA]
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Share this post


Link to post
Share on other sites

It did ask me to reboot. When I restarted, the OTL dialog popped up. When I ran it, it popped up the log file in notepad. See below:

All processes killed

========== FILES ==========

File\Folder c:\documents and settings\administrator.d620-eharris\application data\limewire.exe not found.

File\Folder c:\documents and settings\administrator\application data\limewire.exe . not found.

File\Folder c:\documents and settings\all users\application data\limewire.exe not found.

File\Folder c:\documents and settings\atlanticitadmin\application data\limewire.exe not found.

File\Folder c:\documents and settings\default user\application data\limewire.exe not found.

File\Folder c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe not found.

File\Folder c:\documents and settings\eharris.sixsigma\application data\limewire.exe . not found.

File\Folder c:\documents and settings\eharris\application data\limewire.exe not found.

File\Folder c:\documents and settings\endeavoradmin\application data\limewire.exe not found.

File\Folder c:\documents and settings\localservice\application data\limewire.exe not found.

File\Folder c:\documents and settings\networkservice\application data\limewire.exe not found.

File\Folder c:\documents and settings\temp\application data\limewire.exe not found.

File\Folder c:\documents and settings\user\application data\limewire.exe not found.

File\Folder c:\windows\system32\config\systemprofile\application data\limewire.exe not found.

========== COMMANDS ==========

[EMPTYJAVA]

User: administrator

User: Administrator.D620-EHARRIS

->Java cache emptied: 12118713 bytes

User: All Users

User: AtlanticITAdmin

User: Default User

User: eharris

->Java cache emptied: 31633234 bytes

User: eharris.D620-EHARRIS

User: eharris.SIXSIGMA

->Java cache emptied: 28125345 bytes

User: eharris.SIXSIGMA.old

User: EndeavorAdmin

User: LocalService

User: NetworkService

User: TEMP

User: User

Total Java Files Cleaned = 69.00 mb

[EMPTYTEMP]

User: administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 402 bytes

User: Administrator.D620-EHARRIS

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 469 bytes

->Java cache emptied: 0 bytes

User: All Users

User: AtlanticITAdmin

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 469 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 469 bytes

->Flash cache emptied: 56478 bytes

User: eharris

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 402 bytes

->Java cache emptied: 0 bytes

->Apple Safari cache emptied: 2929664 bytes

->Flash cache emptied: 195840 bytes

User: eharris.D620-EHARRIS

->Temp folder emptied: 0 bytes

User: eharris.SIXSIGMA

->Temp folder emptied: 3037530 bytes

->Temporary Internet Files folder emptied: 2016887 bytes

->Java cache emptied: 0 bytes

->Google Chrome cache emptied: 83738711 bytes

->Apple Safari cache emptied: 0 bytes

->Flash cache emptied: 59577 bytes

User: eharris.SIXSIGMA.old

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 469 bytes

User: EndeavorAdmin

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 469 bytes

User: LocalService

->Temp folder emptied: 547 bytes

->Temporary Internet Files folder emptied: 33237 bytes

User: NetworkService

->Temp folder emptied: 32768 bytes

->Temporary Internet Files folder emptied: 33237 bytes

User: TEMP

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33237 bytes

->Flash cache emptied: 56478 bytes

User: User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 402 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 679555 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 62414126 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 148.00 mb

OTL by OldTimer - Version 3.2.55.0 log created on 07312012_154843

Files\Folders moved on Reboot...

File\Folder C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temp\~DF68D5.tmp not found!

File\Folder C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temp\~DFB34A.tmp not found!

File\Folder C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temporary Internet Files\Content.Word\~WRF{9951623B-6D2B-48F0-BA0F-76B4E2AC74DA}.tmp not found!

File\Folder C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temporary Internet Files\Content.Word\~WRS{7EAA3615-FAC8-41FF-8354-1D26A3C18D7A}.tmp not found!

File\Folder C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temporary Internet Files\Content.Word\~WRS{889AE9C2-E317-4484-8F3B-3984BC432850}.tmp not found!

File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_82c.dat not found!

File\Folder C:\WINDOWS\temp\Perflib_Perfdata_1600.dat not found!

PendingFileRenameOperations files...

File C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temp\~DF68D5.tmp not found!

File C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temp\~DFB34A.tmp not found!

File C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temporary Internet Files\Content.Word\~WRF{9951623B-6D2B-48F0-BA0F-76B4E2AC74DA}.tmp not found!

File C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temporary Internet Files\Content.Word\~WRS{7EAA3615-FAC8-41FF-8354-1D26A3C18D7A}.tmp not found!

File C:\Documents and Settings\eharris.SIXSIGMA\Local Settings\Temporary Internet Files\Content.Word\~WRS{889AE9C2-E317-4484-8F3B-3984BC432850}.tmp not found!

File C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_82c.dat not found!

File C:\WINDOWS\temp\Perflib_Perfdata_1600.dat not found!

Registry entries deleted on Reboot...

Share this post


Link to post
Share on other sites

Run another scan with Malwarebytes, MrC

Share this post


Link to post
Share on other sites

Id'd them again. I did remove all, but haven't restarted. Maybe irrelevant, but MBAM crashed on my first attempt at rerunning this time.

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.31.10

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

EHarris :: D620-EHARRIS [administrator]

7/31/2012 4:30:30 PM

mbam-log-2012-07-31 (16-51-22).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 360146

Time elapsed: 20 minute(s), 40 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 14

c:\documents and settings\administrator.d620-eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\administrator\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\all users\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\atlanticitadmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\default user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris.sixsigma\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\endeavoradmin\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\localservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\networkservice\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\temp\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\documents and settings\user\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

c:\windows\system32\config\systemprofile\application data\limewire.exe (Backdoor.Messa.Gen) -> No action taken.

(end)

Share this post


Link to post
Share on other sites

There's something wrong because all those file s are not on the computer according to OTL:

All processes killed

========== FILES ==========

File\Folder c:\documents and settings\administrator.d620-eharris\application data\limewire.exe not found.

File\Folder c:\documents and settings\administrator\application data\limewire.exe . not found.

File\Folder c:\documents and settings\all users\application data\limewire.exe not found.

File\Folder c:\documents and settings\atlanticitadmin\application data\limewire.exe not found.

File\Folder c:\documents and settings\default user\application data\limewire.exe not found.

File\Folder c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe not found.

File\Folder c:\documents and settings\eharris.sixsigma\application data\limewire.exe . not found.

File\Folder c:\documents and settings\eharris\application data\limewire.exe not found.

File\Folder c:\documents and settings\endeavoradmin\application data\limewire.exe not found.

File\Folder c:\documents and settings\localservice\application data\limewire.exe not found.

File\Folder c:\documents and settings\networkservice\application data\limewire.exe not found.

File\Folder c:\documents and settings\temp\application data\limewire.exe not found.

File\Folder c:\documents and settings\user\application data\limewire.exe not found.

File\Folder c:\windows\system32\config\systemprofile\application data\limewire.exe not found.

========== COMMANDS ==========

=========================================================================================

Please do this........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

Please find this file and upload ot ot VirusTotal for a free scan, let me know the results (just copy back the url)

c:\windows\system32\drivers\tini.sys

http://www.virustotal.com/

MrC

Share this post


Link to post
Share on other sites

Detection Ratio: 1/40

Antivirus: eSafe

Result: Win32.TrojanHorse

Share this post


Link to post
Share on other sites

Do you have the url of the scan? MrC

Share this post


Link to post
Share on other sites

https://www.virustot...sis/1343777334/

I also noticed that ComboFix created a file called ComboFix-quarantined-files.txt. Do you need that?

No......

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Share this post


Link to post
Share on other sites

Update Malwarebytes database. > open up MB > click the Update Tab >Check for Updates.

MrC

Share this post


Link to post
Share on other sites

I was out of town yesterday and just had a chance to check and, unfortunately, MBAM still finds the problem. See below.

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.02.07

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

EHarris :: D620-EHARRIS [administrator]

8/2/2012 9:24:57 AM

mbam-log-2012-08-02 (09-24-57).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 358978

Time elapsed: 22 minute(s), 24 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 14

c:\documents and settings\administrator.d620-eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\administrator\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\all users\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\atlanticitadmin\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\default user\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\eharris.sixsigma.old\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\eharris.sixsigma\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\eharris\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\endeavoradmin\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\localservice\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\networkservice\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\temp\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\documents and settings\user\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\limewire.exe (Backdoor.Messa.Gen) -> Delete on reboot.

(end)

Share this post


Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    limewire.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Share this post


Link to post
Share on other sites

SystemLook 30.07.11 by jpshortstuff

Log created at 11:02 on 02/08/2012 by EHarris

Administrator - Elevation successful

========== filefind ==========

Searching for "limewire.exe"

No files found.

-= EOF =

Share this post


Link to post
Share on other sites

As you can see, none of those files are on the system:

Searching for "limewire.exe"

No files found.

The system is clean as far as I can see.

I don't know why MB is showing that.

Is this the Pro version of MB with real time protection (you paid for this)

Let me know, MrC

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.