MBAM cant find it. Spybot is the only thing that can find it and i run the fix and it keeps returning. I need help i’ve exhausted all my limited knowledge.
Try running a boot time scan with Avast.
what if it is a False positive from SpyBot ? a program i think is not worth hardisk space
are you able to upload the file to www.virustotal.com and test it with 43 malware scanners
when/if you get the result, copy the url in the address bar and post it here
Essexboy is notified and will check your log`s when he arrives
@ rickc300,
Did everything seem cleared up after your last malware removal: http://forum.avast.com/index.php?topic=66336.15?
Also, are you using the same OTL file from the last time? If so, please delete it and download a new one from here since you are missing one of the 2 OTL files: http://forum.avast.com/index.php?topic=53253.0. Post the OTL logs (save them as ANSI and not Unicode). When the OTL scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).
I also noticed in your OTL log that you have Killbox, Dr. Web, and OTL from back in November of 2010. This is from your previous malware removal. Please delete Dr. Web since it can only be used once (see below).
Please download a new Dr. Web from here in SAFE MODE to your desktop to scan for Winlogon and Explorer infections: http://www.freedrweb.com/?lng=en on the top right of the page, tick the EULA and then download.
It will download as an 8-digit file save it to your desktop.
Restart in Safe Mode and run.
Accept the enhanced version.
Then run the Quick Scan.
About halfway through you will be prompted to buy - just “X” the box closed.
Once finished, it will generate a log please attach that to your next post.
Download Dr.Web CureIt! and launch the utility in SAFE MODE. A notification will inform you that the utility is running in the enhanced protection mode allowing it to operate even if malicious programs block access to the Windows interface.
In the enhanced protection mode Dr.Web CureIt! is run on a protected desktop where no other application can be launched. In order to continue working in the enhanced protection mode choose OK or click Cancel to switch to the standard mode.
Click the “Start” button in the anti-virus window. Select “Yes” in the confirmation dialogue, and wait while Dr.Web CureIt! scans system memory and autorun objects. If you need to scan all or selected disks, choose between “Full Scan” or “Custom Scan” (if you choose “Custom Scan,” you need to select the objects you want to scan), and click on the “Start” button.
Dr.Web CureIt! will cure infected files and place incurable files in quarantine. When the scanning is finished, you can view the report and perform desired actions with quarantined files.
Once the scanning is completed, simply remove the Dr.Web CureIt! file from your computer (put it in your recycle bin). If you need to perform another system scan using updated definitions, you will need to download Dr.Web CureIt! again.
Also, please back up your data but no .EXE, .SCR or HTM(L) files.
IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine if possible to check email, sync your phone, etc.
Please do not make any further changes to your machine now that you have provided the logs.
So we will await your new OTL logs (2) and Dr. Web log for Essexboy.
Let us know if you have any questions. Thank you.
I am also thinking FP at the moment after looking at the logs
Hey guys, my Spybot scans are picking up the same thing. While MBAM, Avast and Eset online scanner scans are all coming up clean.
I think there is a bug in Spybot that is causing it to detect a F/P trojan “Win32.AutoRun.tmp” in the registry whenenver you use MBAM to quarantine and delete a file.
I’ve posted it here over on the MBAM F/P Forums: http://forums.malwarebytes.org/index.php?showtopic=71140
and here on the Spybot forums: http://forums.spybot.info/showthread.php?t=61005
I suggest taking a look.
Kind regards,
- Eclipse
This is a problem with spybot, if you allow malware to run it will retain that in memory. The cure - totally uninstall Spybot and all folders/files associated with it then re-install if you wish
Hey Essex,
I’ve tried totally uninstalling Spybot (with revo uninstaller), restarting my comp then re-installing. It still picks up the same “Win32.AutoRun.tmp” detection in the registry value Winlogon\Taskman. I’ve also tried uninstalling/reinstalling MBAM the same way (with revo uninstaller). Spybot still detects this.
I also didn’t allow Malware to run on my system. I downloaded a program installer file (which MBAM flagged as a PUP - the program itself is from a legit company and isn’t harmful; or so the MBAM team says), and then I used MBAM to quarantine the file. Unless using MBAM’s quarantine/delete function causes the flagged program to run on its own? (keep in mind I never once opened the file which MBAM flagged as a PUP). The thing is, the moment you use MBAM’s quarantine function on any file that MBAM flags as anything, then Spybot will start picking up that “Win32.AutoRun.tmp” detection in the Winlogon\Taskman registry. I believe it was a recent update in Spybot that introduced this bug.
I’ve already verified this on another computer and was able to recreate the exact same detection in Spybot. All you have to do is use MBAM to quarantine a file, and Spybot starts detecting “Win32”. I believe Spybot would also create that detection even if you just used MBAM to quarantine a known false positive (although I haven’t verified this yet).
And since Spybot has started detecting this on my main computer. I’ve ran MBAM full scans 5 times, Avast full scan once, and Eset online scanner 2 times (eset scans memory also). Each one of those scans came up clean. Spybot is the only program that is detecting this.
I’m waiting for a reply from the developers of those 2 programs. Hopefully they say something about it soon.
Btw, do you use Spybot + MBAM? If so, do you mind testing it out to confirm?
I don’t wanna waste your time, but would be nice if I could have someone confirm with me that this is a bug in Spybot. If anything, it would really help put my mind at ease.
Kind regards,
- HH89
If you have MBAM there is no need for SpyBot, once a very good program back in the old days but not any more. The program is obsolete
SpyBot is updated once a week (wednesday) Malwarebytes have 5-10 updates a day!
So if you should get an infection on thursday, you have to wait a week to see if it can remove it after next update
What about Spybot’s immunization function? Isn’t that worth something?
Well it is worth something but not at the expense of all the other excess baggage. You could use SpywareBlaster that only does immunisation and otherwise is inert. You periodically update, apply any new items and close it, it doesn’t have to be running in the background, etc.
I have not used spybot for a fair few years, but I have come across this problem several times now. I
believe it is flagging the MBAM run once delete key and once that is in memory it appears to remain. If you run IE8 and Avast - to be honest I no longer see the need for immunisation
Ahh, makes sense. The Spybot team has now confirmed this as a F/P, and are going to be fixing it in the next update (thread here: http://forums.spybot.info/showthread.php?t=61021).
I currently use Firefox + Avast (Firefox v3.5.16). I notice there is a new version of Firefox out though. But I was always under the impression that Firefox was better/safer then IE? Is this not the case with IE8?
Kind regards,
- Eclipse
Personally I still feel firefox is better than IE8 as it isn’t integrated into the OS; so breaching the browser doesn’t mean that you could be breaching the OS. Firefox doesn’t have BHOs, activeX, both of which have been targets for malware/exploits. Firefox also has a number of security based add-ons that can improve this even further, NoScript and RequestPolicy, etc.
However, none of the above is worth a hill of beans if you don’t keep your browser up to date. The reasons why updates happen are threefold, to fix security vulnerabilities, fix bugs, to add or improve features.