-
Posts
20,705 -
Joined
Content Type
Events
Profiles
Forums
Posts posted by Fatdcuk
-
-
Your welcome
Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Safe surfing
-
Ok that is looking a far lot better
Is the computer playing nice now or are there still any issue's ?
-
Hi Dansar,
Unfortuently there is still malware on your pc including a 5th rootkit infection(Backdoor.Rustock),
I have added defs for MBAM to attack your variant overnight so please update and run MBAM QS then post back the log generated.
Also please rerun combofix as you did earliar and post back the new combofix log + new HiJackThis log.
Thanks in advance
-
Hi Dan can you paste the combofix logs and HJT logs into a reply so i can inspect them just to make sure we can sound the all clear
-
Ok well if when you have HJT log + MBAM log please start a new topic in the HJT help forum here>>>
http://www.malwarebytes.org/forums/index.php?showforum=7
If you follow the instructions to remove the UAC CLB variant driver first then MBAM will come to the malware kicking party
-
Hi and welcome to the MBAM help forums,
You almost certainly are infected with the CLB driver infection(WinNT.Alureon)
Please use the following walkthrough as a guide how to get MBAM back in action
http://www.malwarebytes.org/forums/index.php?showtopic=12709
-
Ok thats getting a bit better,
Those service entries are only orphaned values as the driver(s) they load no longer exist but we will clean them up shortly.
Just noticed you now have a 4th rootkit onboard NDIS.sys patcher,that was some nasty infection you have had onboard
Lets try and attack this and cleanup the orphaned values
STEP 01
Please visit this webpage for instructions for downloading ComboFix to yourDESKTOP:Please ensure you read this guide carefully and install the Recovery Console first.NOTE!!:You must save and runComboFix.exeon your DESKTOP and not from any other folder.Also,DO NOTclick the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">Note:TheWindows Recovery Consolewill allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- ClickYesto allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post theC:\ComboFix.txtalong with anew HijackThis logso we may continue cleaning the system.
-
Ok it is possible that you have an active dropper on your pc that installed the older variant and service entry is not to be worried about for now.
If we kill both drivers present then we can get your PC cleaned up from there
For now please do as i have directed>>>
Open RootRepeal and run hidden file scan only,
Locate both the following lines only and select *wipe file* for each one.
Path: C:\WINDOWS\system32\drivers\SKYNEToyfjtpeo.sys
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\drivers\UAClnrhkbdoqcnoofq.sys
Status: Invisible to the Windows API!
Next you most reboot your PC, install update and run MBAM quickscan and then post back the log that MBAM generates.
Thanks in advance
-
Hi my bad on communication AS,my CLB walkthrough suggested folks start topic in HJT forum if they were not sure which driver to hit and post up rootrepeal log.
Hi Dansar and welcome to the MBAM forums
You have 2 variants of CLB driver infection onboard, UAC and the very recent Skynet variant
These are they 2 drivers you need to wipe with rootrepeal after hidden file scan then reboot.
Path: C:\WINDOWS\system32\drivers\SKYNEToyfjtpeo.sys
Status: Invisible to the Windows API!
Path: C:\WINDOWS\system32\drivers\UAClnrhkbdoqcnoofq.sys
Status: Invisible to the Windows API!
Once rebooted attempt to install,update and run Quickscan with MBAM
-
Trya the following guide>>>
http://www.malwarebytes.org/forums/index.php?showtopic=12709
You have UAC variant onboard.
-
Hi Rocky,
This is a confirmed F/p, please add to your ignore list for now as it will be addressed shortly in an update.
Apologies for any inconvenience or alarm caused.
-
Hi avragorn,
That is a confirmed F/p, please add to your ignore list for now as it will be addressed shortly in an update.
Apologies for any inconvenience or alarm caused.
-
A lot better now
Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.
Safe surfing
-
Ok thats looking a lot better now
Open Hijackthis and FixCheck the following lines only-
O2 - BHO: (no name) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
Are you nowe able to now to update software and browse in regular mode ?
-
Ok forgot Rootrepeal dose'nt like Vista too much,
Not sure what you have done as MBAM now picked off one of the .DLL's normaly hidden by the CLB driver but thats not a bad thing.
Onwards then
STEP 01
Please visit this webpage for instructions for downloading ComboFix to yourDESKTOP:Please ensure you read this guide carefully and install the Recovery Console first.NOTE!!:You must save and runComboFix.exeon your DESKTOP and not from any other folder.Also,DO NOTclick the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">Note:TheWindows Recovery Consolewill allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- ClickYesto allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post theC:\ComboFix.txtalong with anew HijackThis logso we may continue cleaning the system.
-
Hi and welcome to the MBAM forums
You have the CLB rootkit infection on board so please use the following walkthrough as a guide to removing it.
http://www.malwarebytes.org/forums/index.php?showtopic=12709
Please post back with most recent MBAM log and HijackThis log.
Thanks in advance!
-
Hi,
When you installed MBAM did you decline to update the Database to the current version ?
The reason i ask is that on the initial install of the software it has the old definitions database that was current when that version of the software was released.
Since then a number of detections and types of detections have been reviewed and removed from the definitions database.
This could be the cause of what you are seeing.
-
Happy birthday Gordon and hope your having a great day !
-
Hi,
This is a confirmed False Positive and has been addressed with update 2023
Sorry for any inconvenience/alarm caused
-
Hi,
This is a confirmed False Positive and has been addressed with update 2023
Sorry for any inconvenience/alarm caused
-
Woo-hoo next stop the double
Congratulations to all the MBAM team on this achievement and all the hard work that has gone into getting the software where it is today
-
Please advise; my further concern is it's not finding any infected files & by the time it is stalling it is already nearly finished. I know that this virus is on my computer though. So if you have any thoughts about that as well I'd greatly appreciate it!
Thanks so much for all your help!
Jess
Hi,
If it is stalling towards the end of ths scan at the same point then there is the potential for one scenario that i have witnessed whilst using MBAM to clean out infections dropped by P2P worms.
The last part of the MBAM scan is what we call Heur+EXTRA's and is what we hit alot of malware out with.
The issue i experienced was there was a folder with over 22,000 copies of a worm inside of it so when MBAM encountered this folder it took it some 40mins to enumerate and check all the files within(of which all were detected as Worm.Archive).
The time it took to enumerate all the files in the folder would have given the appearance of the software stalling but in fact it was just working overtime due to the sheer volume of extra workload on it.
Try scanning again in regular mode then leaving the pc alone for a couple of hours to see if MBAM is able to complete the scan.
Be prewarned if this is the same scenario as what is occuring on your pc then it will also take a long time also for MBAM to delete the files at the end of the scan because of the sheer volume of removals. We are talking gb's of worm replicated files.
-
Banning me will not help, I can go from server to server all US and CANADA and open new accounts and we will not even know..
Claudiu,
Canada
Ah of course now your colours are coming out for all to see.
Yes we are aware how you harrassed and trolled the Kaspersky help forums for the last 3 years also!
Anyway it's a fact of life that forum trolls exist and have nothing better then to spread FUD but at least now we have a point of reference for any of your future activities at our forums.
I'm going to lock this thread as there is no more dicussion to be had here but just a piece of sincere advice which most of us will agree on.
Get a life!!!
-
Hi,
I have killed the live links to save folks from getting infected.
Nastly little trojan at the end of that rabbit hole and no AV's have it targeted yet !
http://www.virustotal.com/analisis/b2675b4...c577b179ed88b92
MBAM won't run(Fix)
in PC Self-Help Articles and Guides
Posted
Hi all,
Newer variants of this malware have become more inventive in how they stay installed on machines by attacking all cleaning softwares/tools so they do not run.
In fact the malware only allows certain core system components to run and your browser.
Everything else is flagged by the software as infected and blocked from running.
The truth is they are not infected and the malware is in fact the software that is causing the issue's and trying to get you to buy it in order to remove the problem.
Symptoms are very obvious and if it is installed there is no escaping the raft of fake alerts generated by the software and the fact that virtually all your other software are no longer able to run.
The fix(s)
If you already have MBAM installed on your computer.
Please navigate to the MBAM folder located in the Program Files directory.
Locate MBAM.exe and rename it to winlogon.exe
Once renamed double click on the file to open MBAM and select Quick Scan
At the end of the scan allow MBAM to remove what it had found then reboot.
Goodbye SystemSecurity
If MBAM is not installed
Download the following file and save to your desktop.
http://live.sysinternals.com/procexp.exe
Rename the file to winlogon.exe and the run it.
Inorder to get MBAM installed you will need to identify and terminate/kill the SystemSecurity process.
As you see from the screenshot it very easily identified by its shield icon and use of random numbers for its executable. eg 1234567.exe 638476435.exe 453732.exe and the list goes on.
Highlight the shield icon/random.exe line and rightclick and select kill process.
SystemSecurity will no longer be active in memory but is still installed so best let MBAM rip it good and proper
Reboot and byebye SystemSecurity
We hope our application has helped you eradicate this malicious Malware.
If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.
**Subnote**
If after removing System Security you are experiencing MBAM finding Trojan.Agent and Rootkit.Trace but it is failing to remove them then you have been infected with a blended(multiple) infection and also have the CLB WinNT/Alureon rootkit active on your computer.
Here is the canned fix/solution for removing that rootkit>>>
http://www.malwarebytes.org/forums/index.php?showtopic=12709