How to rename mbam-setup.exe - please assist

Considering you have already installed it now, just continue on with the other steps.

 

I will be here waiting

 

ok. =)

 

Just post the logs when you are ready.

 

Good evening. When you say "get rid" of symantec, do you want it off your machine for good or are you referring to how to disable it properly whilst you run combofix?

By all means I can give you instructions for it's removal, and removal of any of it's remains, however this decision very much depends on how long you have left on your subscription for the software. Do you want to get the most out of your purchase and continue it's use before expiration, or do you wish to opt for a less resource hungry approach and go for a free and effective anti virus?

Let me know, but either way, at least while you're at it run MBAM, SAS and MGTools if you havent done so already and provide logs from each. We are time wasting really at the moment, and if you ARE infected then wasting time is really not in our best interest.

What malware problems are you actually having as you neglected to provide a brief description of your situation

Thanks
Kes

 

OK, and after running SAS and MBAM you can do this before running Combofix.

Go to add/remove programs and uninstall Symantec from there first.

Next... please give the Norton Removal Tool (SymNRT) a run > reboot your machine and then run it again for good measure.

Then continue on with the combofix and MGTools. Only make a new reply once you have gathered all the requested logs as it will inevitably delay any potentioal fixes/progress. Attch those logs and we can finally make a start in cleaning up any remains of malware if they exist on your machine.

 

You should have accepted I wanted to see a hijackthis log ideally. Run MGTools again and ensure that you click the accept button twice when prompted. Include the NEW mglogs.zip in your next reply. However, I must go to bed now, so attach all I need and I will get to you when I finish work tomorrow.

The NRT should be simply double clicked, a command prompt window will flash briefly and the job is done. At least that has been my experience of it. Not sure why symantec is requesting a pin upon attempted removal in add/remove progs either. In any case, proceed on.

 

1. Before we continue I would like for you to ensure that MGTools.exe is indeed directly on your C Drive and not in any other location, such as where you have it like the below.

2. Do you have symantec corporate edition installed? Because another member (Thanks sikvik) explained to me a password IS required to uninstall that particular version. Let me know.

3. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

4. Could you please get this: dirref.ini into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following:

log retrievable @ C:\collect.zip

5. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

DirLook::
C:\CWDS2Temp

File::
C:\Documents and Settings\Administrator\Local Settings\TEMP\~DF1EA5.tmp
C:\Documents and Settings\Administrator\Local Settings\TEMP\~DF28A8.tmp
C:\Documents and Settings\Administrator\Local Settings\TEMP\~DF8CAF.tmp
C:\Documents and Settings\Administrator\Local Settings\TEMP\~DFB1F4.tmp
C:\Documents and Settings\Administrator\Local Settings\TEMP\~DFCE02.tmp
C:\Documents and Settings\Administrator\Local Settings\TEMP\~DFD357.tmp
C:\Documents and Settings\Administrator\Local Settings\TEMP\~DFD530.tmp
C:\Documents and Settings\Administrator\Local Settings\TEMP\~DFDDFF.tmp
C:\Documents and Settings\Administrator\Local Settings\TEMP\~DFF291.tmp
C:\Documents and Settings\Administrator\Local Settings\TEMP\~DFFEA.tmp

Folder::
c:\documents and settings\Administrator\Local Settings\Application Data\nuoiym
c:\documents and settings\All Users\Application Data\STOPzilla!
c:\documents and settings\All Users\Application Data\avg8

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

RegLock::
[HKEY_USERS\S-1-5-21-790525478-1060284298-1343024091-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,67,48,c7,13,e9,bb,42,9c,41,1c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,67,48,c7,13,e9,bb,42,9c,41,1c,\

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix. and the collect.zip.

7. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

a member here (sikvik) informs me that for the Corporate Edition:

Let me know how you get on with that.

 

No problem. I will be here waiting.

 

@snapper......I edited your previous post because Kes is a female! Hence the gentlewoman edit. :-D You did originally call her a gentleman.

 

Good evening (morning for me)

More than likely from zone alarm and benign.

Use windows explorer to locate and delete the below bold folder (it is empty):

Now do the same to be rid of the following leftover directories from syamntec. (folders to delete in bold)

• c:\program files\Symantec
• c:\program files\Common Files\Symantec Shared
• c:\program files\Symantec AntiVirus
• c:\documents and settings\All Users\Application Data\Symantec

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Hey snapper. You're welcome for the help.

SAS and MBAM without real time protection, no, will not stop incoming as you say, however they are two of the best scanners I know and I have a up to date copy of each (free versions) on both of my machines. Just becareful about your surfing habits, what you download, where from etc... I do lots of surfing and downloading, yet I have not been infected since I bought my first PC because I use common sense as my primary antivirus!

The choice to go with avg9 is entirely up to you, I cannot be seen to influence your decision in any way, however, I can tell you that I use Avast! Home Edition, and have been very happy with it for about 2 years now.

Safe surfing, and take care.
Kes

 

I wish you well too snapper Take care.

 

Yes, you can go ahead and post in software my friend. I am having to run around in malware now, before going off to work again a little later.