Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

mcafee sec.center finds files but cannot delete them [Solved]


  • This topic is locked This topic is locked

#31
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
OK, here is something that just might fix this:

First clean out all Temp files:
Download TFC by OldTimer to your desktop
  • Double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

After the reboot, download the following to your Desktop:
SUPERAntiSpyware

Run SUPERAntiSpyware:
  • Double click on the SUPERAntiSpyware.exe file on your Desktop to install the program
  • When done, start the program using the desktop icon.
  • When asked to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure just the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
  • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and when asked to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • Choose the current dated log & click View Log
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Save the log file as C:\SAS.txt
  • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Paste this text into your next reply

  • 0

Advertisements


#32
tjmk

tjmk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
here is the sas.txt log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/25/2009 at 11:45 AM

Application Version : 4.26.1006

Core Rules Database Version : 3955
Trace Rules Database Version: 1897

Scan type : Complete Scan
Total Scan Time : 03:25:16

Memory items scanned : 545
Memory threats detected : 0
Registry items scanned : 7180
Registry threats detected : 19
File items scanned : 151688
File threats detected : 2

Adware.180solutions/ZangoSearch
HKCR\ClientAX.ClientInstaller
HKCR\ClientAX.ClientInstaller\CLSID
HKCR\ClientAX.ClientInstaller\CurVer
HKCR\ClientAX.ClientInstaller.1
HKCR\ClientAX.ClientInstaller.1\CLSID
HKCR\ClientAX.RequiredComponent
HKCR\ClientAX.RequiredComponent\CLSID
HKCR\ClientAX.RequiredComponent\CurVer
HKCR\ClientAX.RequiredComponent.1
HKCR\ClientAX.RequiredComponent.1\CLSID

Spyware.WebSearch (WinTools/Huntbar)
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc

Adware.Tracking Cookie
C:\Documents and Settings\tjmk\Cookies\[email protected][2].txt

Trojan.Unclassified
C:\WINDOWS\SYSTEM32\MPFSERVICEFAILURECOUNT.TXT
  • 0

#33
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
What happens now if you scan with McAfee &/or MBAM?
  • 0

#34
tjmk

tjmk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
hi,
i did the mbam quick scan, because it brought up the 180solutions and minibug last time. mcafee will take hours, so i'll have it scan overnight,.

here is the log (fewer items, but not all gone)

Malwarebytes' Anti-Malware 1.38
Database version: 2332
Windows 5.1.2600 Service Pack 2

6/25/2009 8:54:55 PM
mbam-log-2009-06-25 (20-54-55).txt

Scan type: Quick Scan
Objects scanned: 105482
Time elapsed: 14 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#35
tjmk

tjmk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
mcafee found the webcom.webbar in hkcr, but nothing else.
  • 0

#36
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Try this:
Restart the PC into Safe Mode & run the batch file we created & tried in Post #27.
Then reboot into normal mode & see if you can find those webcom.webbar keys in the HKEY_CLASSES_ROOT section.
If that is successful, make a new batch file, like before, using this code. Name it Fixreg.bat


@echo off
SWReg ACL HKCR\minibugtransporter.minibugtransporterx /GM:F
SWReg ACL HKCR\minibugtransporter.minibugtransporterx.1 /GM:F
reg delete "HKCR\minibugtransporter.minibugtransporterx" /f
reg delete "HKCR\minibugtransporter.minibugtransporterx.1" /f
exit
Double click FixReg.bat. A window will open and close. This is normal.
  • 0

#37
tjmk

tjmk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
hi again.

fixservices.bat did not eliminate the webcom.webbar (s) entries in the registry. i managed to get a screenshot of the dos window.

it appears the same as it did in the jpg i posted in #24

i did not continue with your instructions because it was not successful.

sorry this is taking so long.

Attached Thumbnails

  • fixservsnap.JPG

  • 0

#38
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
OK, try this:
Boot into Safe Mode, & open regedit & scroll to those entries.
Can you right click on them & see if you can see the Permissions page?
Or do you just get the "cannot open these keys" message?
  • 0

#39
tjmk

tjmk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
it says the same thing in both safe mode and regular mode.

You do note have permission to view the current permission settings for WebCom.WebBar, but you can make permission changes. [OK]

clicking OK, opens up a window titled Permissions for WebCom.WebBar
with a security tab. closing that gives the error Cannot open WebCom.WeBar: Error while opening key.

this jpg shows the permissions window

Attached Thumbnails

  • permissions.JPG

  • 0

#40
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Open Regedit.
Scroll down to the offending keys & right click on the first one.
Choose Permissions.
You are getting a blank window, so we need to get you some permissions to remove those keys.
Click the Add Button.
Click the Object Types button.
There should be checks next to:
Built-in security principals
Groups
User
s

Click OK
Click the Locations button. That should just list the computer name for that PC.
Click OK
Click the Advanced button, then the Find Now button.
In the list generated click Everyone and click OK & OK.
Now you should have the User Group Everyone in the upper half of the window.
Highlight that entry & tick the box next to Full Control in the Allow column.
Now click OK.

See if you can now remove that problem key.

Tell me how you get on
  • 0

Advertisements


#41
tjmk

tjmk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
i get as far as the final step, but the last 'ok' brings up a security warning with a red circle/white x.
Unable to save permissions on WebCom.WebBar. Access is denied. [OK]
  • 0

#42
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
After consulting with some of the Registry experts here it seems we are going about this in the wrong manner.
The HKCR section of the registry is a sort of shortcut to other areas of the registry, & that is where we need to locate those keys, before trying to delete them.
To that end, can you run the following & post the resulting log, so we can see how to proceed.

Re-run OTL:
  • Close all open windows and double click the OTL.exe icon on your Desktop
  • Tick the Scan all Users box, & check Standard Output.
  • Leave the File Age: box at 30 days
  • Make sure that None is checked beside:
    • Processes
    • Services
    • Drivers
    • Standard Registry
    • Extra Registry
    • Files Created Within
    • Files Modified Within
  • Copy the all text from the Code box below & paste it into the Custom Scans/Fixes window.
    HKLM\SOFTWARE\Classes|minibugtransporter /rs
    HKCU\\SOFTWARE\Classes|minibugtransporter /rs
    HKLM\SOFTWARE\Classes|webcom /rs
    HKCU\\SOFTWARE\Classes|webcom /rs
  • Click the Run Scan button and let the program run uninterrupted.
  • It should produce a log for you. OTL.txt will open automatically.
  • I need you to post the text from that log here.

  • 0

#43
tjmk

tjmk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
here is the OTL text.

OTL logfile created on: 6/29/2009 12:33:58 AM - Run 2
OTL by OldTimer - Version 3.0.5.3 Folder = C:\Documents and Settings\tjmk\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.00 Mb Total Physical Memory | 322.33 Mb Available Physical Memory | 31.54% Memory free
1.90 Gb Paging File | 1.26 Gb Available in Paging File | 66.32% Paging File free
Paging file location(s): C:\pagefile.sys 1022 1222 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 25.09 Gb Free Space | 33.69% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 7.83 Gb Total Space | 0.59 Gb Free Space | 7.50% Space Free | Partition Type: FAT32
Drive G: | 5.14 Gb Total Space | 4.73 Gb Free Space | 92.13% Space Free | Partition Type: FAT32
Drive H: | 6.12 Gb Total Space | 2.30 Gb Free Space | 37.57% Space Free | Partition Type: FAT32
I: Drive not present or media not loaded

Computer Name: D4J0FH31
Current User Name: tjmk
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Custom Scans ==========


< HKLM\SOFTWARE\Classes|minibugtransporter /rs >

< HKCU\\SOFTWARE\Classes|minibugtransporter /rs >

< HKLM\SOFTWARE\Classes|webcom /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000C0373-0000-0000-C000-000000000046}\\: WebComponentProperties
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000CD100-0000-0000-C000-000000000046}\\: WebComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000CD101-0000-0000-C000-000000000046}\\: WebComponentWindowExternal
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000CD102-0000-0000-C000-000000000046}\\: WebComponentFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E792405F-8668-11D3-9058-00C04F799E3F}\\: WebCommandButton

< HKCU\\SOFTWARE\Classes|webcom /rs >
< End of report >
  • 0

#44
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
OK tjmk,
That was unexpected.
I will get back to you ASAP with a new/ better plan.

Cheers,
sage5
  • 0

#45
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi tjmk

That blank result could be due to a typo in the code I gave you. (Double \\ in 2 of the key addresses) :)
Can you please re-run OTL with all the settings the same as in the previous post.
Except use this code in the Custom Scans/Fixes window:

HKLM\SOFTWARE\Classes|minibugtransporter /rs
HKCU\SOFTWARE\Classes|minibugtransporter /rs
HKLM\SOFTWARE\Classes|webcom /rs
HKCU\SOFTWARE\Classes|webcom /rs

  • 0






Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP