Fatdcuk
-
Posts
20,705 -
Joined
Content Type
Events
Profiles
Forums
Posts posted by Fatdcuk
-
-
Hi ya,
For my sins i am a contracted outside consultant,self employed but as rule of thumb virtually all helpers at forums such as these are volunteers who do a magnificent job
My principal duties are away from the forums dealing with malware research but in times of need i'm only too willing to help out my client in any way shape or form.
Right not seeing hidden CLB driver in GMER logs and MBAM has updated which would suggest it is no longer active
We need just to complete a few more tasks before we sound the all clear so if possible could you do the following.
STEP 01
Please visit this webpage for instructions for downloading ComboFix to yourDESKTOP:Please ensure you read this guide carefully and install the Recovery Console first.NOTE!!:You must save and runComboFix.exeon your DESKTOP and not from any other folder.Also,DO NOTclick the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">Note:TheWindows Recovery Consolewill allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- ClickYesto allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post theC:\ComboFix.txtalong with anew HijackThis logso we may continue cleaning the system.
-
Many thanks,
I can confirm that is our culprit and that MBAM will be updated shortly(1898 or 1899) with attack for this particular driver.
Can you please back MBAM quick scan log from scan after thoes updates
-
OK lets see if we can get Combofix to defeat CLB driver
STEP 01
Please visit this webpage for instructions for downloading ComboFix to yourDESKTOP:Please ensure you read this guide carefully and install the Recovery Console first.NOTE!!:You must save and runComboFix.exeon your DESKTOP and not from any other folder.Also,DO NOTclick the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">Note:TheWindows Recovery Consolewill allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- ClickYesto allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post theC:\ComboFix.txtalong with anew HijackThis logso we may continue cleaning the system.
-
Ok time to unpack another powerful diagnostic tool
STEP 01
Please visit this webpage for instructions for downloading ComboFix to yourDESKTOP:Please ensure you read this guide carefully and install the Recovery Console first.NOTE!!:You must save and runComboFix.exeon your DESKTOP and not from any other folder.Also,DO NOTclick the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">Note:TheWindows Recovery Consolewill allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- ClickYesto allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post theC:\ComboFix.txtalong with anew HijackThis logso we may continue cleaning the system.
-
Ok well glad to hear it has been nuked
Can you please do the following routine before we can sound the all-clear.
STEP 01
Please visit this webpage for instructions for downloading ComboFix to yourDESKTOP:Please ensure you read this guide carefully and install the Recovery Console first.NOTE!!:You must save and runComboFix.exeon your DESKTOP and not from any other folder.Also,DO NOTclick the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">Note:TheWindows Recovery Consolewill allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- ClickYesto allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post theC:\ComboFix.txtalong with anew HijackThis logso we may continue cleaning the system.
-
Ok time to use a more powerful diagnostic tool to see whats going on
STEP 01
Please visit this webpage for instructions for downloading ComboFix to yourDESKTOP:Please ensure you read this guide carefully and install the Recovery Console first.NOTE!!:You must save and runComboFix.exeon your DESKTOP and not from any other folder.Also,DO NOTclick the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">Note:TheWindows Recovery Consolewill allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- ClickYesto allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post theC:\ComboFix.txtalong with anew HijackThis logso we may continue cleaning the system.
-
Hi ya,
Glad to hear you have yanked the CLB driver
If possible i would like to see the MBAM quick scan log after CLB was nuked!
Lets have alooksee with another powerful diagnostic tool if there is any more infection components left.
STEP 01
Please visit this webpage for instructions for downloading ComboFix to yourDESKTOP:Please ensure you read this guide carefully and install the Recovery Console first.NOTE!!:You must save and runComboFix.exeon your DESKTOP and not from any other folder.Also,DO NOTclick the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">Note:TheWindows Recovery Consolewill allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- ClickYesto allow ComboFix to continue scanning for malware.
- When the tool is finished, it will produce a report for you.
- Please post theC:\ComboFix.txtalong with anew HijackThis logso we may continue cleaning the system.
-
Hi and welcome to the MBAM forums
Yes there is multiple parts to the infection on your computer and this is going to take some fancy footwork to get your mess cleaned up!
Please use the following walkthrough as a guide>>>
http://www.malwarebytes.org/forums/index.php?showtopic=12709
Your CLB variant will have the prefix =TDSS
Once you have identified and killed the CLB driver if present please update and run MBAM quickscan.
Please post back the MBAM log from that scan and a fresh HJT log then we will be ready to move onto stage 2 of the cleanup
-
Hi and welcome to the MBAM forums
Please post a current MBAM quick scan log(afterall this is the MBAM support forums
) -
Hi ya,
We like to see MBAM logs so we know whether you are using the latest version and current Database etc
So can i please see the log and then we can take it from there
-
Hi,
You have 2 very unpleasent rootkits present on computer that is going to take some fancy footwork to displace!
First to be addressed is the 1 thats not showing but is preventing MBAM from updating to its current database.
MBAM log is still showing you on Database version: 1749 and we are currently upto 1897
Please use the following walkthrough to diagnose(&cure) if present the CLB Rootkit Driver.
http://www.malwarebytes.org/forums/index.php?showtopic=12709
When you have done this open MBAM,goto update tab and select check for updates.
Now run quick scan and post back the MBAM log generated.
Thanks in advance.
-
Ok we have a contender
The following entry is almost certainly the restoring Sentinel driver-
+ pznnpjkb Microsoft Kernel DRM Audio Descrambler Filter (Not verified) Microsoft Corporation c:\windows\system32\drivers\pznnpjkb.sys
If possible i will need to inspect the file to confirm 100% and at which point i can give new instructions to MBAM to attack that driver.
Please can you retrieve a copy of pznnpjkb.sys and the zip it up and upload to a new topic in the following forum so i can take a peek inside of it
http://www.malwarebytes.org/forums/index.php?showforum=55
Thanks in advance.
-
Hi and welcome to the MBAM forums
Please use the following walkthrough to check to see if you have the CLB driver infection underpinning the issue's on your pc.
http://www.malwarebytes.org/forums/index.php?showtopic=12709
-
Hi ya,
Ok RootRepeal back on the bench for now.
I will need to see a full GMER report before i can present an attack solution on the CLB driver.
Thanks in advance.
-
Oh yes i see something odd....No MBAM install or MBAM log
Are you unable to install,update and run a quick scan ?
-
Hi and welcome to the MBAM forums
Rootrepeal is not playing nice on your infected computer so we will have try another angle of attack.
I'm guessing you still cant update MBAM as we are up to DB 1891 currently ?
Lets see if we can get GMER ARK to deploy on the infected system and play ball for us
Download GMER .exe and rename to foo.exe
Next run and if available post back the report log generated.
Also if MBAM can update please run a scan with recent db and post back new report if available.
Thanks in advance.
-
Hi and welcome to the MBAM forums
Please use the following walkthrough as a guide>>>
http://www.malwarebytes.org/forums/index.php?showtopic=12709
Your CLB variant will have the prefix =gaopdx
Once you have identified and killed the CLB driver please update and run MBAM quickscan.
Please post back the MBAM log from that scan and a fresh HJT log.
Thanks in advance.
-
Hi and welcome to the MBAM forums:)
Please use the following walkthrough as a guide>>>
http://www.malwarebytes.org/forums/index.php?showtopic=12709
Your CLB variant will have the prefix =gaopdx
Once you have identified and killed the CLB driver please update and run MBAM quickscan.
Please post back the MBAM log from that scan and a fresh HJT log.
Thanks in advance.
-
Hi and welcome to the MBAM forums
Yes you do have Rootkit.Sentinel on board and it has a second driver which is not being hit reinstalling the whole infection everytime you reboot .
We will need to locate and identify this driver inorder to affect a killshot on this this infection!
So without further ado please do the following.
Download and install Autoruns.
http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx
When you first run it it will generate an extensive listing and the word "Ready" will appear in the bottom left of the sofware GUI.
At this point goto options and place check(tick) against verify coded signatures and hide Microsoft & windows entries.Next press F5 button to refresh.
Once Ready status by software is gained then goto File option.Select "Export as" and save output file as Autoruns.txt
Can you please then copy and paste the contents of that text file into your next reply for analysis.
Thanks in advance
-
Ok well your log is looking fairly clear now are your search's still being hijacked ?
Have HJT fixcheck the following entries only by placing a check in the box next to the relevent lines.
R3 - URLSearchHook: (no name) - {ABE9C052-8DBA-36A6-CB42-D2DD0083434C} - NSYSCPLSTR.dll (file missing)
O2 - BHO: {9636d4e2-f0ed-533b-1754-2ed9ba71116e} - {e61117ab-9de2-4571-b335-de0f2e4d6369} - (no file)
Also i can see from your HJT log that you have older vulnerable version of Java software installed.
You will need to uninstall all versions via add/remove control panel and make sure you have only the most recent version installed version 6- Update 13
-
Thankyou so much too
I love nothing more then to hear that MBAM is sucessfully ripping this stuff off peoples computers !
-
lol my bad ! will edit to correct
-
The download link is in my previous post
-
Can you please post a new HJT log as i need to see whether Combofix has deleted the following bot ?
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
Hijacked Search results and browser shutting
in Resolved Malware Removal Logs
Posted
Hi ya,
I need you to run a couple of tools for me and post back all logs
1)STEP 01
2)Please download GooredFix and save it to your Desktop.
http://jpshortstuff.247fixes.com/GooredFix.exe
Select "2. Fix Goored" by typing 2 and pressing Enter.
Make sure all instances of Firefox are closed at this point.
Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.