Exploit-ObscuredHtml (Read/Run w/logs)

Discussion in 'Malware Help (A Specialist Will Reply)' started by crockman, Jun 26, 2009.

  1. crockman

    crockman Private E-2

    A couple days ago i was surfing through MajorGeeks main site to download some software. I decided to download Advanced SystemCare (ASC).

    A split second before the Download finished I saw, just for a second, another down load window pop-up. The Unknown Window was roughly written, Looked like it was written by hand that was written very quickly (or with poor writing skills). But it happened too fast to actually understand any of the writing.

    I then went to install the ASC Software and immediately my McAfee Internet Security (free from Comcast) popped up a "Found Trojan" Window.

    I then went searching for McAfee's Quarantine. In the Quarantine I found:
    File Name: unins000.msg
    Detection Name: Exploit-ObscuredHtml
    Items: C:\Program Files\IObit\Advanced SystemCare 3\unins000.msg

    My PC, a Toshiba M400 Laptop w/ Vista Business Edition-32 bit, runs just fine. I'm mainly making this thread to find out if there is anything else I should do or just trust McAfee has solved the problem.

    READ & RUN ME FIRST:

    I've already completed every step, attached Log Files are included.

    A Couple Exceptions though.

    I could not get RootRepeal to run. I tried twice double-clicking the exe but it crashed 3 times (error-windows) both attempts. Then tried once as Administrator but it crashed again 3 times.

    Also I did not Remove the accused Trojan from McAfee's Quarantine and it is still there. Reason I did not remove it is the possibility that it's a False-Positive. I tried to uninstall Advanced SystemCare from Programs & Features but it would not uninstall due to a Missing File, which happens to be the File McAfee has in Quarantine.

    Again My Laptop runs just fine. So if McAfee has the only piece of this said Trojan, should I just delete Exploit-ObscuredHtml from Quarantine and call it a Lucky Day ?

    How will I uninstall Advanced SystemCare if I do delete the needed file that's in Quarantine ?

    FYI: Also now in McAfee Quarantine is "EICAR test file". Obviously one of the Read & Run Me Programs uses that EICAR as one of it's tests

    Thanks in Advance
     

    Attached Files:

    crockman, Jun 26, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    McAfee is incorrect and you need to report this to them if you want to ever have it resolved. Like many tools, McAfee has lots of false detection issues.

    Actually you forgot the Malwarebytes log but we don't need it since your logs are all clean. You should just disable McAfee's active protection and restore the file and then do your uninstall of ASC. Or alternatively, disable McAfee and reinstall the program. Then uninstall it.


    Since you are not having malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Jun 27, 2009
    #2
  3. crockman

    crockman Private E-2

    Thanks for the Reply.

    I had thought it may be a false-positive, thus I have not deleted the Quarantined Asc File.

    You may be correct about McAfee & False Positives. About 10 minutes ago ASC opened a "New Version" Available Window on my Desktop. So I downloaded it and had it replace the existing Asc Download just in case that original download was infected.

    Soon as the New Version Download completed McAfee popped up a "Found Trojan" Window. I went in to Quarantine and this time it looks as if McAfee is picking on ComboFix.

    The File now Quarantined is:
    File Name: COMBOFIX.EXE
    Detection Name: Artemis!56D56147D93A
    Items: C:\Users\Todd\Desktop\ComboFix.exe

    So it looks like I'll need to use your suggestion of disabling McAfee to be able to restore those 2 Files then Uninstall ASC & ComboFix.

    Thanks again for the assistance

    Btw Yes, sorry I did forget to Upload the Malwarebytes Log. I did not want to Reply to my Thread with the missing Log due to your "No-Bump" Rules.
     
    crockman, Jun 28, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Yes that is why the procedures for using ComboFix and also many other special malware removal tools state that you must disable your protection software before running the tools and possibly even before downloading the special tools. ;)
     
    chaslang, Jun 29, 2009
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds