Trend Miccro: Trouble

[Bent Romnes]

Help, Wiz, Please
Things were going ok until I went to update my Adobe Flash as recommended by Secunia.
It hung on the installation and I had no way of getting out of it..had to power off the computer and try again. Same thing the 2nd time
Then Trend gives me a message that it has detected instability and also that it sees my C/Windows/SYSTEM folder as bad or unstable or something...I didn't get all the things it told me.
So there is obviously a problem with Trend Micro or at least a conflict of some sort

What to do now?

[Wiz Feinberg]

Help, Wiz, Please

<big>Who seeks the Mighty and Powerful Wiz?</big>

So, Adobe Flash is blocked during an update procedure. Are you downloading it from Adobe.com? If so, please just download the Flash setup file from the Adobe Flash page. Save it to your desktop. Close all browsers. Run the setup again. If you get any warnings from TMIS asking if you want to run the file, allow it.

If Trend is really blocking a legitimate Flash update it will be reported by watchers and they will release new definitions to fix the problem.

There is another way to update Flash, should the browser or download method still fail. Close all open browsers and other programs that have windows. Open My Computer. Navigate to the "Windows\System32\Macromed\Flash" directory and open it. You will see a file with a name beginning with FlashUtil - followed by a version, a period, and an exe extension (the latest version is FlashUtil10d.exe). Double click on it to open the Flash updater. Click on Install Now to upgrade to the new version of Flash (it always says there is a new version available, even if there is not). If you also use Firefox there will be another upgrade file, named NPSWF32_FlashUtil.exe. Double click on it and run another update for Firefox and other browsers.

After each update you will see the version number change on FlashUtil(version).exe, which is the Internet Exploder ActiveX version.

The next time you open a browser go back to Secunia an scan again to see if it recognizes the update as the current version.

[Bent Romnes]

Wiz, sorry to be a pain but it seems I am at my wits end here. If there is this much trouble to getting Trend to run properly, and to get simple updates, it seems to me that Trend, being a fine program, is more suited for computer savvy people somewhere above my skills.
I tried what you told me, to dl the setup file and install it from my desktop. It didn't work. It hung as soon as the download started.

The other way you explained is just above my skills but I will have a go at it.
Another thing I just noticed: I had Trend set for scan at 10 AM..I checked 2 min after and 10 min after but no apparent scan is being done.
I will try one more time. Hope you are here to hold my hand

[Wiz Feinberg]

Bent;
Something is not right with your computer. This is not how Trend or Flash are supposed to behave. I think that some troubleshooting may be in order. If you're up to it, here is the procedure to follow.

First of all, please detail your OS and service pack level, if any, and the last time you received Windows Updates. The Secunia Online Software Inspector will help identify any missing updates or insecure programs.

Second, tell me what type of user privileges you run with in your daily use account.

Third, download, but do not run, the following programs to your Windows desktop:

• MalwareBytes Anti-Malware (You may already have this)
• Rkill.com
• ThreatFire

Fourth, disable the real time protection modules of Trend Micro, via its icon in the System Tray.

Fifth, I want you to run Rkill.com. This is a specialized program that will terminate known rootkits that are active. If your anti-virus program flags it as a malicious process choose the option to ignore it and remember your decision (that is why I told you to turn off monitoring of files by TMIS). This is a hunter-killer program.

If you are running as an XP Limited or Power User, or as a Standard User on Vista or Windows 7, you may need to right-click on Rkill and "Run As" an Administrator.

DO NOT REBOOT after running Rkill, until you have run these other applications as instructed!

After Rkill has completed, note any malware it reports as having terminated. Then, open, update and run a quick scan with MBAM. Tell MBAM to fix any malware problems it detects. Save the report it presents to your desktop, after the scan is finished.

Next, install and update Threatfire, then have it scan for rootkits. Let it reside in the System Tray and run when Windows starts up, until this is resolved.

At this point, if malware threats or rootkits have been reported, please disable System Restore. To do this go to Start and right-click on (My) Computer, then left select Properties. Click on the tab labeled System Restore. There you will find a checkbox to turn off system restore. Check the box and click Apply. Wait until the restore points have been deleted. Do nothing else until the busy cursor changes to a normal cursor.

Next, to go to the HouseCall online virus scanner and download the required database, then run a full scan of your PC. When the scan completes have it remove whatever it is able to. Save a report and tell me what if anything was detected, removed, or not removed by that scan.

Next, uninstall Trend Micro PC-cillin trial version and reboot the PC into "Safe Mode With Networking" (tap continuously F8 while rebooting to get to the boot menu). Login to your account in Safe Mode (with Networking).

As soon as you accept the big safe mode notice run rkill again, then open MBAM, update it again and scan for threats. If any are found try to fix them.

If no (more) threats are found try to install the trial version of Trend Micro again. If it will not install in Safe Mode, restart into normal Windows mode and try from there.

With PC-cillin installed, update it and scan for viruses, spyware or malware. Report any threats it finds and removes.

At this point your computer should be cleaned of malware. Trend Micro should be up and running. Threatfire should also be running as an icon in the system tray. Normally, these programs won't get along. However, you are trying out Trend at this point and Threatfire only watches for and blocks rootkits. When things are running normally, if you decide to license Trend Micro Internet Security, then you can remove Threatfire from starting up, or uninstall it completely.

Note, that running two realtime monitors will slow down the PC a bit.

If there are still problems with your computer the operating system may have become corrupted. This is another matter, with its own resolution methods.

When you are certain that there is no more malware running, restart System Restore by unchecking the box that you used to turn it off.

Now, follow my previous instructions for updating Adobe Flash. Download fresh copies, just in case there was something wrong with the first ones. Get Flash from http://www.adobe.com/go/EN_US-H-GET-FLASH.

Let me know how things work out for your PC. If you don't understand any of my instructions, please ask for clarification.

[Bent Romnes]

Whew! Thanks Wiz. I suppose it sounds way more overwhelming than it really is. I will Take a day very soon and do according to your instructions.

In the meantime:
I opened the file in System32 and got the Flash update as per your instructions. It worked.
Prior to this, I had Dl'd the flash install to the desktop. When I try to delete this file, Trend locks everything up. So I will leave that file for now I suppose.

Also, something I forgot to tell you from last night:
When Trend told me that it had found some insecurities in my Windows/SYSTEM due to numerous power-offs and re-starts, it also told me that something was trying to access my computer via a port (I didn't mark down the port number) It informed me also the IP of the intruder is 99.249.129.7 my IP is the same, only.instead of 7 at the end I have .255 Both numbers apparently come form the same ISP
What does this tell you?

By the way I just did a scan with Malwarebytes, over 3 hours it took and nothing malicious was found.

[Bent Romnes]

Wiz you wanted me to detail my OS etc:
I have Windows XP 2002 with Service pack 3
I am on automatic update. I believe the last one was maybe a week ago?

Not sure about user privileges I don't log in as administrator, if that's what you mean; I don't even know how to do that.

Additionally, I just checked with Secunia and it told me that Microsoft Internet Explorer 8.X is insecure,
with "no solution" although I almost never use IE anyway, I always use Firefox; it's 3.5.5
All other programs listed in Secunia Had a status of "Patched"

I just checked the IE security issues and it says that it won't help just not to use it as my Firefox interacts with IE. The only way to make it secure would be to disable it and how do I do that? And then my Firefox wouldn't work any longer, would it?

I'll see what you say to this before I do anything. Thanks again

[Wiz Feinberg]

Bent;
You have made very good progress in a short time. I was unaware of the bad shutdowns you just mentioned in your last posts. These often lead to the corruption of files in use at the time the power went off. There is a fast way to fix some of these issues, as outlined below.

1. Insert your XP CD in a CD drive
2. Click on Start, then "Run"
3. Type or copy/paste this command: SFC /SCANNOW
4. Press Enter and the scan for corrupted system files begins
5. You may be prompted to show where the OS CD is several times. If it is in drive D, type D, or browse to the XP CD and press Enter to continue.
6. After a few repetitions you should be able to just press Enter when the box pops up looking for the source CD.

When the scan completes it simply goes away. No reports to file, no bodies to tag.

Next, find the icon for My Computer (your computer, not mine). Double click to open it. Find the icon for drive C and right click on it. Select Properties. On the Properties sheet choose the Tools tab. Under "Tools > Error Checking" press the "Check Now" button. When the Check Boot Disk box opens check the top box to Automatically fix file system errors then click the "Start" button. Another information box will open telling you that you must schedule the disk check for the next time you start the computer. Answer in the affirmative, then reboot. Stay away from the keyboard when you see the message about a disk check has been scheduled to run. DO NOT press any keys until the computer has automatically rebooted into the Welcome screen.

Hopefully, this will fix the corruption caused by bad shutdowns.

Why are you having bad shutdowns Bent? Is it due to bad power, or internal part failure, or overheating from dust build-up?

If your hydro keeps going off you can buy an uninterruptable power supply (UPS), preferably by APC. They come in a variety of capacities (Volt-Amp ratings) and minutes of uptime (US minutes, not Canadian minutes - eh!) and a USB cable to connect to your PC, plus software to monitor for power fluctuations and to gracefully shutdown your PC in the event of a total loss of AC power. Expect to spend about 80 Loonies, or 40 Toonies for a 750 V-A UPS.

[Bent Romnes]

Wiz, I will do what you said here first then, before I run Rkill and Threatfire.
Now the bad shutdowns/startups were solely due to Trend's issues with Flash. I did not have them before, nor have I had them after I updated Flash in the System32 folder.

There are no other reasons like overheating.

So...do you still say I should do the SFC /SCANNOW with the XP CD?

[Wiz Feinberg]

Now the bad shutdowns/startups were solely due to Trend's issues with Flash. I did not have them before, nor have I had them after I updated Flash in the System32 folder.

There are no other reasons like overheating.

So...do you still say I should do the SFC /SCANNOW with the XP CD?

The damage has already been done. At least run Chkdsk as I described in my last reply. It will find and fix file system errors caused by bad shutdowns.

You can hold off on running the SFC command unless other weirdness manifests itself. That will find and replace corrupted system files.

[Bent Romnes]

Wiz, I did what you said. It ran the chkdsk and I guess it fixed errors since that's what I told it to do.

I also ran a defrag. The drive was 4% fragmented. It has 70% free space.

So I guess with that we can wait til "other weirdness manifests itself"...? It seems to me that things are running ok for now.
By the way, the little thing I told you about earlier, about Trend locking everyting up when I tried to delete that Flash Install file. Now it don't do that any more. I deleted it no problem.

Also, Trend ran a great scan last night, it took almost 3 hours and something like 155000 files checked. It found one threat: TROJ_PACKED.DFN
It was quarantined.
Or I'll do whatever you suggest.

[Wiz Feinberg]

I'm glad that things are back to normal on your computer and that I was able to help.

[Bent Romnes]

Hi Wiz,
This is the first chance I had to thank you since the forums was down.

With Trend doing that great scan, I, too, thought everything was back to normal.
Alas, that was not so. I am having serious reservations to this scanner , after what I have seen the last few days.
Some of the things that happened:
Firefox ended up not running properly, when I went to uninstall, something prevented me from doing that.

Windows wouldn't even let me get into add/remove programs. When I tried to download the sew Firefox setup file, it dl'd 99% and then hung...There was no way to get out of it because ctrl/alt/delete kept hanging, so I had to power off.

Finally, at my wits end, I uninstalled Trend to try and see if it was causing all the problems. Sure enough..as soon as I got rid of it, I was able to download/install what I needed.

There seems to be a serious issue between Windows XP and Trend, or at least it looks like Trend is for the power user and above the knowledge of the common guy like me.


That's the stage I am at for now. Unless there is something you can show me that I missed, I am afraid that I'll have to go back to SB S&D and AVG.

Thanks again for your help though, I appreciate you taking your time with me. As usual, you perform way beyond the call of duty.

[Wiz Feinberg]

Bent;
In your case, considering all that you have gone through and tried, I would go back to what was working before. Trend Micro will work great for most computers, but there is always going to be an exception. Individual computer configurations can throw off the best tools.

We may never know what is causing the problem with TMIS on your PC, but thanks for at least trying it out and for asking for assistance here. Assume something is afoot, which is as yet unidentified.

I would still recommend that you use Malwarebytes Anti-Malware, due to its frequent updates and very specific targeting of the most current malware threats in the wild, especially the fake anti-virus programs and scans. As I mentioned earlier, Spybot is good, but is only updated once a week. However, it does have a good feature in the immunization module. You just have to be careful about using or depending on the Teatimer and the Heuristic scanner. Both are known to give frequent false positives.

[Bent Romnes]

Wiz, I will heed all your recommendations. It is great to have an expert on hand, that way I can just do things without questioning if it is right or wrong.

I will continue to use Malwarebytes
Like you recommend, I will re-install SB S&D. It is just like what you say about teatimer: It is excessive and unnecessary. I did indeed find the immunization is a great tool.

I will take you up on the 2 recommendations: Rkill and Threatfire. On a slow day I will run them and see if they can dig up anything. It is fun experimenting anyway.

Thanks again for your help. Muchly appreciated.

[Wiz Feinberg]

Rkill is only used if a rootkit is suspected, or if you are looking to see if one is lurking. Threatfire actively seeks and destroys rootkits.

The reason I advised using Rkill first was in case a rootkit was active it would lie to or block access to MBAM. Now that we think we know that your system might possibly not necessarily have a rootkit hiding somewhere, causing all this weird behaviour (CA version of that word), Rkill is probably overkill and not necessarily necessary. Theoretically.

[Bent Romnes]

I guess I missed that along the line. How would I suspect an active rootkit and what is a rootkit anyway?
Does the computer behave in a special way?

[Wiz Feinberg]

Bent;
A rootkit is a totally hidden malicious process that operates at the system kernel level to do things behind your virtual back. Most rootkits are totally malicious, but some were designed to enforce digital anti-copy rights (e.g. the Sony mayhem of October 2005). Since they don't run visibly you need special tools to root them out.

MBAM and Threatfire are two such tools and are well known to malware authors. They (the bad guys in the former USSR, like Boris Badenoff and Natasha Darlinck) embed code to block those scanners from running and even from installing. MBAM must sometimes be renamed when saving the setup file. This usually fools the malware and allows one to install it and scan.

When a malware process blocks well known anti-malware tools from running you need a bigger gun. Rkill is a big gun. After you download the latest version it will defend itself, then go about seeking rootkit executables and processes in memory (RAM) and terminate them. Rkill does not remove the rootkit; it puts it to sleep temporarily. Then you can run MBAM or Threatfire to try to remove it from your PC. If you reboot after using Rkill and the rootkit has not been removed with another tool, it will become active as the PC restarts.

Since you were able to install, update and scan with all the tools I suggested, a rootkit on your PC is unlikely (but not impossible). The odd behaviour of TMIS makes me wonder what caused it, but, 'nuf said. Maybe just some bad interactions between processes. I dunno.

[Bent Romnes]

Wow this is getting pretty deep, but interesting.

Say, will there be any harm if I decide to dl and run these 2 progs..just out of curiosity. Like, is there a danger of irreversible damage to anything if I should hit the wrong key or make the wrong decision during a scan?

[Wiz Feinberg]

Wow this is getting pretty deep, but interesting.

Say, will there be any harm if I decide to dl and run these 2 progs..just out of curiosity. Like, is there a danger of irreversible damage to anything if I should hit the wrong key or make the wrong decision during a scan?

No problem Bent. Run MBAM first, then install ThreatFire. TF will restart in your System Tray whenever Windows starts up, if you leave the default options set. It does a quick scan for rootkits on startup, then monitors as you use the PC. It uses behavioral analysis to detect malware, plus definitions of rootkits.

Unless registered, MBAM is a purely manual on-demand scanner, which must be updated before scanning. Registering it turns on automatic updates, scheduled scans and real time process monitoring for malware it knows about.

These programs, along with Spybot S&D and AVG should give you fairly broad coverage. It will be a bit of a hassle managing all of the updating and scanning, but that is the price of freeware.