Sign In
Create Account
1
This appears to be an old issue that has resurfaced. Any simple way to remove it?
Malwarebytes' Anti-Malware 1.40
Database version: 2738
Windows 5.1.2600 Service Pack 3
03/09/2009 8:21:03 PM
mbam-log-2009-09-03 (20-21-03).txt
Scan type: Quick Scan
Objects scanned: 103917
Time elapsed: 11 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmrnmnenkr (Rootkit.TDSS) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Two scans were done. It still shows infected.
Malwarebytes' Anti-Malware 1.40
Database version: 2738
Windows 5.1.2600 Service Pack 3
03/09/2009 7:52:26 PM
mbam-log-2009-09-03 (19-52-26).txt
Scan type: Quick Scan
Objects scanned: 103859
Time elapsed: 11 minute(s), 36 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmrnmnenkr (Rootkit.TDSS) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
This topic is locked
#1
Posted 04 September 2009 - 01:37 AM
-
- Members
-
- 5 posts
New Member
- Gender:Male
- Location:Montreal
Glenn Keeping
Back to top
#2
Posted 05 September 2009 - 01:33 PM
-
- Administrators
-
- 7,127 posts
Forum Deity
- Gender:Female
- Location:Belgium
Hi,
The malware you are dealing with locks mbams detection and removal, but next version of mbam should be able to bypass this and deal with this one. In a meanwhile, to deal with it, * Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingc...to-use-combofix
Post the log from ComboFix in your next reply.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
The malware you are dealing with locks mbams detection and removal, but next version of mbam should be able to bypass this and deal with this one. In a meanwhile, to deal with it, * Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingc...to-use-combofix
Post the log from ComboFix in your next reply.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
#3
Posted 05 September 2009 - 03:27 PM
-
- Members
-
- 5 posts
New Member
- Gender:Male
- Location:Montreal
Hi,
Thanks for taking a look at this. I was able to disable all spyware / antivirus but had trouble with AVG. The log is attached as per your requests. Again thanks!
Regards,
Glenn
Thanks for taking a look at this. I was able to disable all spyware / antivirus but had trouble with AVG. The log is attached as per your requests. Again thanks!
Regards,
Glenn
miekiemoes, on Sep 5 2009, 09:33 AM, said:
Hi,
The malware you are dealing with locks mbams detection and removal, but next version of mbam should be able to bypass this and deal with this one. In a meanwhile, to deal with it, * Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingc...to-use-combofix
Post the log from ComboFix in your next reply.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
The malware you are dealing with locks mbams detection and removal, but next version of mbam should be able to bypass this and deal with this one. In a meanwhile, to deal with it, * Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingc...to-use-combofix
Post the log from ComboFix in your next reply.
Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
Attached Files
-
log.txt 20.72K
20 downloads
Glenn Keeping
#4
Posted 05 September 2009 - 03:37 PM
-
- Administrators
-
- 7,127 posts
Forum Deity
- Gender:Female
- Location:Belgium
Hi,
I already see now why that key in the registry was not deleted before. You are running Teatimer and Adwatch which both monitor registry changes. Mbam detected the malicious leftover in the registry and either Teatimer or Adwatch probably reversed the deletion again since they may see it as a malicious attempt. This happens all the time with removal tools if you have Teatimer or Adwatch running in the background.
Anyway, Combofix bypasses Teatimer/adwatch, so the key in the registry got deleted now.
* Go to start > run and copy and paste next command in the field:
ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Let me know in your next reply how things are now.
I already see now why that key in the registry was not deleted before. You are running Teatimer and Adwatch which both monitor registry changes. Mbam detected the malicious leftover in the registry and either Teatimer or Adwatch probably reversed the deletion again since they may see it as a malicious attempt. This happens all the time with removal tools if you have Teatimer or Adwatch running in the background.
Anyway, Combofix bypasses Teatimer/adwatch, so the key in the registry got deleted now.
* Go to start > run and copy and paste next command in the field:
ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
Let me know in your next reply how things are now.
#5
Posted 06 September 2009 - 12:35 PM
-
- Members
-
- 5 posts
New Member
- Gender:Male
- Location:Montreal
I can't thank you enough for your help. The issue is now resolved and you can close this log. Awesome support man!!!
Million Thanks,
Glenn
Million Thanks,
Glenn
GlennK, on Sep 5 2009, 11:27 AM, said:
Hi,
Thanks for taking a look at this. I was able to disable all spyware / antivirus but had trouble with AVG. The log is attached as per your requests. Again thanks!
Regards,
Glenn
Thanks for taking a look at this. I was able to disable all spyware / antivirus but had trouble with AVG. The log is attached as per your requests. Again thanks!
Regards,
Glenn
Glenn Keeping
#6
Posted 06 September 2009 - 08:59 PM
-
- Administrators
-
- 7,127 posts
Forum Deity
- Gender:Female
- Location:Belgium
Glad I could help. 
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Happy Surfing again!
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Happy Surfing again!
#7
Posted 08 September 2009 - 11:40 AM
-
- Administrators
-
- 7,127 posts
Forum Deity
- Gender:Female
- Location:Belgium
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
