Jump to content

Fatdcuk

Staff
  • Content Count

    20,723
  • Joined

Posts posted by Fatdcuk


  1. Hi,

    I have some bad news that one of the trojans lifted by MBAM is purpose built password stealer.

    Since we have no idea how long it has been active or what data it has harvested it is advisable once the all clear is sounded to change all passwords/logins that you have used on this PC both on the machine and your online activities!

    I need a couple more logs just to dig a bit deeper to check if all is well!

    STEP 01

    Please visit this webpage for instructions for downloading ComboFix to your
    DESKTOP
    :

    Please ensure you read this guide carefully and install the Recovery Console first.

    NOTE!!:
    You must save and run
    ComboFix.exe
    on your DESKTOP and not from any other folder.
    Also,
    DO NOT
    click the mouse or launch any other applications while this is running or it may stall the program

    Additional links to download the tool:

    http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

    Note:
    The
    Windows Recovery Console
    will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click
      Yes
      to allow ComboFix to continue scanning for malware.

    • When the tool is finished, it will produce a report for you.

    • Please post the
      C:\ComboFix.txt
      along with a
      new HijackThis log
      so we may continue cleaning the system.


  2. Hi,

    First off sometimes the damage created by infections can be somewhat PITA to sort out so sometimes symptons persist but the infection is no more.In extreme cases the only full recovery is a full restore and reformat of the computer but hopefully we will try to avoid that option.

    Some changes can be undone by running a repair install of the OS so do you have the OS install disk handy for this computer ?

    But first inorder to see if you still have any malware active on the machine we need to run deeper diagnostic tools so please do the following.

    STEP 01

    Please visit this webpage for instructions for downloading ComboFix to your
    DESKTOP
    :

    Please ensure you read this guide carefully and install the Recovery Console first.

    NOTE!!:
    You must save and run
    ComboFix.exe
    on your DESKTOP and not from any other folder.
    Also,
    DO NOT
    click the mouse or launch any other applications while this is running or it may stall the program

    Additional links to download the tool:

    http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

    Note:
    The
    Windows Recovery Console
    will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click
      Yes
      to allow ComboFix to continue scanning for malware.

    • When the tool is finished, it will produce a report for you.

    • Please post the
      C:\ComboFix.txt
      along with a
      new HijackThis log
      so we may continue cleaning the system.


  3. Great:D

    Well purchase is optional as i said we provide a fully functioning detection and cleaning engine for FREE

    Probaly our selling pitch is that our realtime protection module can prevent in realtime what the engine rips of the infected PC so we are always a good purchase to compliment any AV in protecting someone's PC from getting infected in the first place :(


  4. Hi ya,

    CLB driver infection has definetly left the building and normal service is being resumed :(

    Your HiJackThis +GMER logs are looking good to go now.

    MBAM is still using old Database tho!

    Just one last diagnostic log i would like to see so if you could do the following.

    STEP 01

    Please visit this webpage for instructions for downloading ComboFix to your
    DESKTOP
    :

    Please ensure you read this guide carefully and install the Recovery Console first.

    NOTE!!:
    You must save and run
    ComboFix.exe
    on your DESKTOP and not from any other folder.
    Also,
    DO NOT
    click the mouse or launch any other applications while this is running or it may stall the program

    Additional links to download the tool:

    http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

    Note:
    The
    Windows Recovery Console
    will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click
      Yes
      to allow ComboFix to continue scanning for malware.

    • When the tool is finished, it will produce a report for you.

    • Please post the
      C:\ComboFix.txt
      along with a
      new HijackThis log
      so we may continue cleaning the system.


  5. Last sentence isn't very clear, my friend recommended Malwarebytes to me, I'm wondering if this is the appropriate program to get.

    The great thing about MBAM is that it offers a FREE fully functioning detection and removal engine :)

    With that you have nothing to lose by trying out MBAM versus your fake alert infection but certainly a reformat and reinstall is not called for to cure this!

    The only time MBAM will cost if if you choose to purchase its realtime protection component.

    That is of course optional and not mandatory :(


  6. Hi ya,

    I believe the CLB driver has been purged from your system despite the conflicting data in the reports.

    Things that suggest CLB is RIP

    RootRepeal is not seeing any hidden driver or files

    GMER is reporting the hidden service entry* but no hidden files

    *This entry will remain on a machine until it is removed by purpose used ARKtool/fix

    The only bothersome thing is your MBAM database used is out of date.

    Now CLB sometimes prevent MBAM from updating and or running so this is normaly a pointer to it being active on a system.

    So lets find out for sure of whats going on :(

    Open GMER again and scan and goto the following entry only.

    Service system32\drivers\gaopdxwfnsoqfwixepomthbqbypgmerxhpqxiu.sys (*** hidden *** ) [sYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

    Right click on it and select *delete service* and then Reboot.

    On Reboot try to see if MBAM will update to most recent DB 1882

    Next rescan with GMER to see if the Hidden service entry remains.

    Thanks in advance.


  7. Hi,

    1 registry entry(worm related) would not indicate an active worm infection on your computer.

    As you suspect it might be what is known as an orphaned value from a previous infection.

    As far as the Security centre settings go,

    They can be modified by any of the following-

    1)Active infection

    2)Installed 3rd party software

    3)End user can knowingly turn off these features manually.

    MBAM has no way of determining who's set the values to disabled but when we remove these detections we dont delete the registry key but restore the registry key data to default value=Enabled.

    Now your next concern is that since you have SP1 installed then where did this security centre registry key come from,again we have no idea what installed it on your PC but there are only 2 options really it was either a consented install by a software or possibly an infection.

    Anyway since you do not have Security Centre installed then i would reccomend that you add the detections to the MBAM ignore list for now :(

    If you are still concerned that you might have an active malware infection on your PC then start a new topic at our HJT forums and from there an expert can assist you in running some advanced diagnostic tools to check if your PC is clean.

    http://www.malwarebytes.org/forums/index.php?showforum=7


  8. Hi Steve,

    Your computer is still infected hence why there is still issue's :(

    Ok CLB is still present but at least GMER was able to run for this particular variant.

    We need to attack 1 file only listed in the GMER report so you will need to follow these instructions to the letter.

    Open GMER again and allow it to perform full scan.When completed you need to locate the following entry only

    File C:\WINDOWS\system32\drivers\UACcoihaiqd.sys 65536 bytes executable <-- ROOTKIT !!!

    ** Module/service etc leave well alone as this is the only file and path to attack it from.

    Highlight the line in GMER and then right click on mouse and select *Kill file*

    Reboot immediately!

    Next open MBAM and see if it will update to curent DB= 1880, If it dose then run full scan and post back the log generated.

    Last steps please repeat the instructions in this post>>>

    http://www.malwarebytes.org/forums/index.p...ost&p=65563

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.