-
Posts
20,705 -
Joined
Content Type
Events
Profiles
Forums
Posts posted by Fatdcuk
-
-
Hi Diana,
I need to see the report copy and pasted into a reply as sav it to text file and uploading that creates a nightmare of data to wade through as its all bunched up.
If needed please split the log contents in half and post to 2 seperate replies.
Thanks in advance
-
Hi ya Jay,
CLB\Alureon rootkit has now left the building according to ComboFix
Just want to check for something amo so please run Rootrepeal again.
Download Rootrepeal>>>
http://rootrepeal.googlepages.com/
Extract the file and run rootrepeal.exe
Click on report tab on the bottom right of the software then press scan
Put at check(Tick) in all box's except the 2 SSDT option's then press OK
Place a check(Tick) in drive to be scanned(Usually you will only have to select C).
Please save the logfile generated and copy and paste the contents of that log into your next reply.
-
Ok then lets try another angle of attack then.
STEP 01
Please visit this webpage for instructions for downloading ComboFix to yourDESKTOP:Please ensure you read this guide carefully and install the Recovery Console first.NOTE!!:You must save and runComboFix.exeon your DESKTOP and not from any other folder.Also,DO NOTclick the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">Note:TheWindows Recovery Consolewill allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- ClickYesto allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post theC:\ComboFix.txtalong with anew HijackThis logso we may continue cleaning the system.
-
Hi and welcome to the MBAM forums
Lets skip to plan B and see if this angle of attack works.
STEP 01
Please visit this webpage for instructions for downloading ComboFix to yourDESKTOP:Please ensure you read this guide carefully and install the Recovery Console first.NOTE!!:You must save and runComboFix.exeon your DESKTOP and not from any other folder.Also,DO NOTclick the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">Note:TheWindows Recovery Consolewill allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- ClickYesto allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post theC:\ComboFix.txtalong with anew HijackThis logso we may continue cleaning the system.
-
Hi Diana and welcome to the MBAM forums
You have the CLB/WinNT.Alureon rootkit onboard that is causing the problem.
Please use the following walkthrough as fix/solution.
http://www.malwarebytes.org/forums/index.php?showtopic=12709
Please post back the MBAM log generated after running the fix.
Thanks in advance
-
Hi ya,
I have snipped PM advice as would be confusing
STEP 01
Please visit this webpage for instructions for downloading ComboFix to yourDESKTOP:Please ensure you read this guide carefully and install the Recovery Console first.NOTE!!:You must save and runComboFix.exeon your DESKTOP and not from any other folder.Also,DO NOTclick the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">Note:TheWindows Recovery Consolewill allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- ClickYesto allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post theC:\ComboFix.txtalong with anew HijackThis logso we may continue cleaning the system.
-
Now some MBAM avatars please
-
Hi,
When you remove an object using MBAM it is sent to quarantine.
The free version has a fully functioning detection and removal engine
-
Makes you wonder what that person was thinking (or apparently not thinking).
Is very straight forward, a2 are struggling to get their product into an already saturated market so anything goes......
They cant establish in the core market as the big AV's have that sewn up so they are pushed out to the security forums for an entry point.
They see our growth and success and would like to emulate it.
MBAM is red and A2 is blue , the figures make very depressing reading for a2/Emsisoft
http://www.google.com/trends?q=a+squared%2...=ytd&sort=1
lol at Mr ex employee claims that a2 has a greater pressence in Germany than MBAM..google trends dose'nt agree
Judging by a series of recent events around the security boards,bogus tests by a2, F/P's against MBAM and now these PM's then they really are scraping the bottom of the barrel to get noticed.
If they want to emulate MBAM then all they have todo is start cutting it in the realworld....shills always remind us about their stellar detection rates but their tech sucks at removing the real gnarlly stuff.
Maybe if their dev's department spent less time hacking our technology and database and concocting crass PR campaigns to get attention then they might have more time to improve their own software
JMHO but if a company has to resort to these kind of tactic's to get their software noticed, then really the software cant be doing a good job of selling itself in the first place.Afterall,their free version has been around for sometime now....
-
Kudos for direct action, whatever it was.
Now all the rest of the sec comm vendors need is a name so they can avoid hiring him\her.
Named and hopefully shamed!
http://forum.emsisoft.com/Default.aspx?g=p...p;m=32702#32702
Mike Christenson, the person responsible for the PM you quoted, is no longer part of Emsi Software GmbH. He was fired today (actually yesterday) as soon as we became aware of the mails and PMs he was sending out. -
Hi ya,
Not sure why CF has gone after that entry but it is easily restored.
Navigate to C:\QooBox
Locate file named HKLM-Run-POINTER.reg.dat
Rename it to HKLM-Run-POINTER.reg
Then double click on the file to remerge the data back into your registry.
Reboot to see if that solve's the issue.
Thanks in advance
-
Hi ya,
Your logs are looking good to go
Any more issue's ?
-
Hi ya,
Would you be so kind to copy and paste the contents of combofix.txt to your next reply so it appears as HJT report and not as attached document.
Thanks in advance
-
Hi ya and welcome to the MBAM help forums
If the file UACqfwowxdapamixevdy.sys has been removed by MBAM then this is just the orphaned service key.The malware changed the permissions on the key to make it hard to remove.
STEP 01
Please visit this webpage for instructions for downloading ComboFix to yourDESKTOP:Please ensure you read this guide carefully and install the Recovery Console first.NOTE!!:You must save and runComboFix.exeon your DESKTOP and not from any other folder.Also,DO NOTclick the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">Note:TheWindows Recovery Consolewill allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- ClickYesto allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post theC:\ComboFix.txtalong with anew HijackThis logso we may continue cleaning the system.
-
Hi Ktulu,
I too have seen many times malware called setup.exe located on the Rootdrive and i believe that is why out heuristic's aggresively hit PE files located there.
The downside being is i have seen a few cases where people have chosen to save legitimate setup.exe's to rootdrive instead of more tradition location for installers(My Documents,Desktops & Temps).
As far as re-occuring files that we delete then they respawn then there will almost certainly be something else active that is respawning them and not a failure to delete on our behalf.
At this point our advice being to post in our HJT help forum so an expert can help troubleshoot and remedy the issue with specialist tools
-
Yes MBAM realtime protection module in the Pro version is designed to block what we remove.
Looking back at your infection,it would not have got installed had our PM been guarding it
That said although we have extremely high detection and removal rates unfortunetly no software can guarantee to detect all malware all the time and that is the nature of the beast today.
What you can do is practice safe surfing habits that reduce the likelyhood of an encounter in the first place so will leave you with my clsoing canned speech but seriously there is some really useful info in there
Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
We hope our application has helped you eradicate this malicious Malware.
If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.
Safe surfing
-
Ok then i will lock this topic as resolved
Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
We hope our application has helped you eradicate this malicious Malware.
If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.
Safe surfing
-
Ok you,
Apologies for comboFix but it coded to undo change's that certain malware infections make.
E.G a lot of fake alert trojans will take your desktop image and replace it with a warning message that you are infected etc
Going by memory it resets your system clock but by the whole it is not considered to be bad side effects.
How is the computer behaving now ?
-
Hi ya,
It has been confirmed F/P again and the DB has now been updated to remove this detection.
Please update and check again to see if this is the case ?
Thanks in advance
-
Thats a lot better, UAC Rootkit just got nailed
Just a couple more logs to check before we can sound the all clear
STEP 01
Please visit this webpage for instructions for downloading ComboFix to yourDESKTOP:Please ensure you read this guide carefully and install the Recovery Console first.NOTE!!:You must save and runComboFix.exeon your DESKTOP and not from any other folder.Also,DO NOTclick the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">Note:TheWindows Recovery Consolewill allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- ClickYesto allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post theC:\ComboFix.txtalong with anew HijackThis logso we may continue cleaning the system.
-
Hi Melly,
That rules out a nagging concern that i had.So with that i believe unless you are experiencing any more issue's then you are good to go
-
Hi ya,
That file was legitimate...I hate it when M$ dont verify their own files as this is usually the domain of malware trying to pretend to be legitimate system file but alas not the case here.
After some heavy duty researching I cant find any malware underneath the surface with my tools.
The HIDEC.exe process which is used to hide windows/command box's was probaly installed by one of your resident softwares.Something has corrupted this process and now i believe that is the root of the command box's opening up with browser use etc
As to what is causing the issue's again, it might be damaged software installs, damaged OS or software conflicts.Unfortunetly i cant diagnose that across board and if the patient was in front of me i would attempt to uninstall software's and reinstall them to see if that made any difference + attempt to get OS repair install.
-
Ok Melly not sure why thats not playing nice so please just run mbr.exe and post back the contents of the log generated.It will text file on desktop mbr.log
-
Hi ya,
If possible could you locate and the following file and upload to VirusTotal for malware checking.
Please post back a link to the report generated as i will need to verify some support data on the file from it.
pmem Physical Memory Driver (Not verified) Microsoft Corporation c:\windows\system32\drivers\pmemnt.sys
Rootrepeal is not running as it should
in Resolved Malware Removal Logs
Posted
Hi ya,
Please boot into safe mode and attempt to run ComboFix from there.