Jump to content

Jintan

Honorary Members
  • Posts

    143
  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

4,474 profile views
  1. Always glad to behelpful here. Just a few changes now, and remove what our work added there. Actually one of them will rehide those file settings. AntiVir has a good reputation, so should be just fine to reinstall. The logs show you have slightly outdated versions of vulnerable programs, so Go to each of these sites and update to the latest version (keep your eyes open - they often slide in "opportunities" for things like Google, or McAfee's scanner): http://www.adobe.com/downloads/ (For Adobe Reader and Flash Player - uncheck the useless McAfee scan, if offered) http://java.com/en/download/manual.jsp (For Java 7 Update 4 - trying to slip Ask adware/spyware to systems lately, so watch and uncheck it) Once you have done that, be sure to go to Add/Remove Programs and uninstall any older, more vulnerable Java versions. ------------- Go to Start – Settings – Control Panel. Click on Add/Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on Remove. Then close the Control Panel. McAfee SiteAdvisor It's info is often terribly incorrect (see here for example, then click the View Community Reviews button to see how bad this adware vendor really is), so gives a false sense of security. -------------- Go to Start > Run and type: cmd.exe and OK. At the prompt type or copy/paste each of the following, pressing Enter after each: cd "%userprofile%\desktop" combofix /uninstall ComboFix should uninstall itself at this time. -------- Eset, if you don't plan to use it again, uninstalls through Add/Remove Programs. -------- You can also at this time delete the files/folders of the tools we used. To assist with some of that run OTL again. This will help by automatically removing some of the tools we used. Just click CleanUp, and select Yes. When it finishes removing some of the tools and files we used there just agree to the reboot. In addition, I like to recommend reviewing the information at these locations, to make sure your system stays secure (links borrowed from Gringo): http://www.techsupportforum.com/security-center/general-computer-security/525915-pc-safety-security-what-do-i-need.html http://www.malwareremoval.com/forum/viewtopic.php?p=557960#p557960
  2. Habit from other places I assist. Instead of OTL, just download OTC.exe by OldTimer to your desktop. This will help by automatically removing some of the tools we used. Just click OTC.exe, then click CleanUp, and select Yes. When it finishes removing some of the tools and files we used there just agree to the reboot, and OTC should self-delete once the system has rebooted (if not just delete the OTC.exe file).
  3. System looks clean, and also looks like what we were seeking as hidden malware was actually AntiVir activities. How is everything running now please?
  4. We have been hunting an AntiVir chimera? I will have to install a copy and verify all that myself. Please do not reinstall any other security software until we complete our tasks here. Go here and download Mischel's MBR Backup to your desktop, then click MBRBackup.exe to start the utility. Click Save MBR, and save that file to location you can easily return to later. Then close MBR Backup. Zip a copy and email that saved to me as an attachment please. The file is always prenamed MBR_year_month_day.bin. MBR_2011_05_27.bin for example. -------------- Open and update Malwarebytes. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform quick scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. * The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes. * Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then. --------------- Disable your antivirus program and click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file to run the scanner. If you accept the Terms of Use, check the box and click Start. It will take a couple minutes for the scanner to get ready. When the Computer scan settings display shows, check the following boxes: Remove found threats Scan unwanted applications Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives). Then click the Advanced option, the place a check next to the following (if it is not already checked): Enable Anti-Stealth technology Click Start. This scan may take a while, so please be patient. If infection is found, at the end of the scan click "List of found threats". In that display, at the bottom, select the option to save the results as a text file, and save that to your desktop. Post that back here please. Post that log and the Malwarebytes log please.
  5. No, that won't be a problem. Just scratching my head that I got the email notifications, but didn't repond here. Looks pretty good. Some updates to do. May want to uninstall Windows Desktop Search 3.01. More a slowness maker than a benefit on XP systems. The logs show you have slightly outdated versions of vulnerable programs, so Go to each of these sites and update to the latest version (keep your eyes open - they often slide in "opportunities" for things like Google, or McAfee's scanner): http://www.adobe.com/downloads/ (For Adobe Reader and Flash Player - uncheck the useless McAfee scan, if offered) http://java.com/en/download/manual.jsp (For Java 7 Update 4 - trying to slip Ask adware/spyware or Google to systems lately, so watch and uncheck it) Actually, I don't see a Java install, which is important to correctly load many web page apps. --------------- Go to Start > Run and type: cmd.exe and OK. At the prompt type or copy/paste each of the following, pressing Enter after each: cd "%userprofile%\desktop" combofix /uninstall ComboFix should uninstall itself at this time. -------- You can also at this time delete the files/folders of the tools we used. To assist with some of that run OTL again. This will help by automatically removing some of the tools we used. Just click CleanUp, and select Yes. When it finishes removing some of the tools and files we used there just agree to the reboot. ------- In addition, I like to recommend reviewing the information at these locations, to make sure your system stays secure (links borrowed from Gringo): http://www.techsupportforum.com/security-center/general-computer-security/525915-pc-safety-security-what-do-i-need.html http://www.malwareremoval.com/forum/viewtopic.php?p=557960#p557960
  6. Some remnant services we need to remove, but just no ID elsewise. Is that a free version of AntiVir, that you can uninstall to help clear up what Gmer shows? I am not familiar with it's current product enough to spot what part of the scan chatter belongs to it, or even if it now protects the MBR in some way. If so, do the following, then uninstall AntiVir, reboot and run a regular Gmer scan again. If you haven't yet, go ahead and uninstall Vongo, which is no longer an active program. Go to Start - Run, type cmd (and OK). Copy/paste each of the following at the prompt, Enter after each: sc delete 0062421329956074mcinstcleanup sc delete MOBCleanup Type exit and press Enter to close the command window.
  7. I received the MBR copy, thanks. Looks like we're being snookered here - the mbr.dat file was just filled with empty spaces. Suggests maybe some watcher driver being loaded to block and distract things. Go ahead and run ComboFix again, but also do the following after that: Open Gmer again. Once it has completed it's opening scan, this time just right click in the white space in the display and select Options - Only non MS files. Then click Scan and allow Gmer to run a different scan. Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.
  8. Shows the infected MBR in both scan logs, and Gmer sure showing some pretty suspect other activity. Wonder why what is there seems to be slipping past TDSSKiller's checks. We could replace the MBR with a Windows 7 default copy, but there is always a concern that will then have you lose access to any factory reinstall partition - press some key sequence during a reboot, and access a location that will then just return the system to factory state. Do you know if you system has that? If the malware has altered the MBR, then that access is already lost, and returning a default MBR would then serve to cripple the malware. Run ComboFix again please, and post that log. Perhaps it repairing that .dll will open new doors for it. Also locate the following hilighted file(s), zip a copy of it, and send it to jintan AT malwarecrypt.com as an attachment. Please place "Submitted Files - brightjoy2/mb/mbr" as the email Subject. C:\Documents and Settings\Jeff\Desktop\MBR.dat
  9. Curious results so far, though hoping ComboFix catching and replacing a bogus .dll file will have changed something. Since I have the info at hand, take note of the following, to choose to uninstall later once we are clear of this rootkit nonsense: Vongo - Pre-installed by HP, now defunct. Netscape Browser (remove only) - Same - pre-installed, no longer in use. And these are resource wasters if you do not actually use them: Yahoo! Toolbar for Internet Explorer Yahoo! Toolbar Bing Bar ------------- Download MBRCheck.exe to your Desktop. Run the application. If no infection is found, it will produce a report on the desktop. Post that report in your next reply. If an infection is found, you will be presented with the following dialog: Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply. ------------ Run Gmer again, and post that log please.
  10. In fact, also with HijackThis, select Do a system scan and save logfile. Use copy/paste and post that log back here for review as well please.
  11. Very good - looks and reads as all clean now. Let's check installed programs to see what changes we need to make there, then we'll start wrapping things up. Download HijackThis from Here. Then click on the downloaded file, and install HijackThis. In HijackThis, click Config - Misc Tools - Open Uninstall Manager. Click on Save List, then save that to a location you can locate again (such as the desktop). Copy/paste the contents of that back here please.
  12. Usually in Safe Mode, although there still are active services running, the antivirus' most active components are disabled. So let's see how you do with the most recent steps.
  13. Surely was not the results I expected in any way. Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive. Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. Also run TDSSKiller after that, and post that log please.
  14. Really looking like bootkit MBR (MasterBoot Record) infection there. Please do everything you can to make sure AntiVir is completely disabled. Just to be sure, reboot to Safe Mode for this next step. At startup tap the F8 key about once per half-second, then select Safe Mode with Networking from the menu that will appear. Click here and download Kaspersky's TDSSKiller to your desktop, but as you download it, rename it to larry.com then click that file to run TDSSKiller. In the display that opens click Start scan. Once that completes, follow any prompts to act on anything it located, including as reboot (Reboot Now) if requested. When the scan completes it will create a log file on your C drive. Similar in name to this: C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt Your copy will be different - some of those numbers will reflect the date/time it was just run by you there. Copy/paste those contents back here please. If it does locate malware, but does not prompt for a reboot, go ahead and do reboot. Assuming it did locate malware, and display a Reboot Now, do that, then run it again after the reboot, and post back both logs please.
  15. Welcome to Malwarebytes brightjoy2, The logs don't quite reflect the likely bootkit/rootkit infection on that system, so let's take some different looks at things, then decide on repairs. To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types" To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed. ------- Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please. ----------- Click here and download the installer for Gmer to your desktop, then click that file to run Gmer. Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. ----------- Download aswMBR ( 511KB ) to your desktop. Double click the aswMBR.exe icon to run it If you can have an open Internet connection, and allow it to download the latest Avast engine detections. If avast! antivirus is already installed, just do the next step. Click the Scan button to start the scan On completion of the scan, click the save log button, save it to your desktop and post it in your next reply. A lot, but comprehensive, and will make sure we get a good view of everything.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.