Jump to content

Fatdcuk

Staff
  • Content Count

    20,723
  • Joined

Posts posted by Fatdcuk

  1. Hi ya,

    Nothing jumping out of the HJT log now so how is there anymore issue's being experienced ?

    There was 1 suspicious entry in your earliar combofix log that need checking.See if you can locate the following file in system32 folder.

    c:\windows\system32\windrv.sys

    If you can locate please upload it to VirusTotal for 39 second opinions and post back a link to the report page generated :(

    http://www.virustotal.com/

    Thanks in advance.

  2. Hi all,

    Symptoms are very obvious. Fake alert screens,fake security software activity and browser Hijacking.

    totalsecurity.jpg

    Recent variants of Total Security have been blocking MBAM from running and subsequently preventing the software from detecting and removing it B)

    It dose this by terminating the process(mbam.exe) when it is loaded into memory inorder to run.

    Inorder to get MBAM to run we will need to turn the tables on Total Security and kill's its active process first!

    This can be done very easily by the following walkthrough :)

    Download ProcessExplorer and install.Please use only as directed*

    http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

    We need to identify which is the Total Security entry....very easy at the moment as it is tsc.exe and the little shield icon is a give away should they change the name of the .exe file.

    Next up goto the entry tsc.exe in Process Explorer main window by hovering your mouse pointer over it.

    When there use right click on your mouse to select it next choose kill process and then confirm(yes).

    peversusts.jpg

    Finally update and run quickscan with MBAM and Total Security will be no more :)

    We hope our application has helped you eradicate this malicious Malware.

    If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.

    Disclaimer to the more learned readers-

    Taskmanager can also be used to terminate tsc.exe but in some of the installs of this rogue then TM has been disabled by the infection.Hence why the use of imported Process Explorer :(

  3. Ok then(round 2 here we go)

    Lets have a deeper look at whats going on

    STEP 01

    Please visit this webpage for instructions for downloading ComboFix to your
    DESKTOP
    :

    Please ensure you read this guide carefully and install the Recovery Console first.

    NOTE!!:
    You must save and run
    ComboFix.exe
    on your DESKTOP and not from any other folder.
    Also,
    DO NOT
    click the mouse or launch any other applications while this is running or it may stall the program

    Additional links to download the tool:

    http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

    Note:
    The
    Windows Recovery Console
    will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click
      Yes
      to allow ComboFix to continue scanning for malware.

    • When the tool is finished, it will produce a report for you.

    • Please post the
      C:\ComboFix.txt
      along with a
      new HijackThis log
      so we may continue cleaning the system.

  4. Hi ,

    It's been an enjoyable challenge B)

    The 2nd AV you have operation is Norton/Symantec.

    Unfortunetly i do not know whether the Norton/Symntec security suite can be configured to not run the AV component in realtime as i have no experience with this product.

  5. Hi there's quite a few issue's to be addressed.

    STEP 01

    Please visit this webpage for instructions for downloading ComboFix to your
    DESKTOP
    :

    Please ensure you read this guide carefully and install the Recovery Console first.

    NOTE!!:
    You must save and run
    ComboFix.exe
    on your DESKTOP and not from any other folder.
    Also,
    DO NOT
    click the mouse or launch any other applications while this is running or it may stall the program

    Additional links to download the tool:

    http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

    Note:
    The
    Windows Recovery Console
    will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click
      Yes
      to allow ComboFix to continue scanning for malware.

    • When the tool is finished, it will produce a report for you.

    • Please post the
      C:\ComboFix.txt
      along with a
      new HijackThis log
      so we may continue cleaning the system.

  6. Hi ya,

    Rootrepeal is not functioning 100% on your computer probaly as a result of corrupted installation.Do not attempt to delete/wipe or force-delete any files with it now.

    The driver's scan has detected CLB driver(UACcoihaiqd.sys) as present but since CLB fakes its driver path then that is why attempting anything against the driver from drivers scan option will fail.

    The hidden file scan is reporting some very unusual data but there is no CLB related entries there which leads me to believe the tool is not functioning properly.

    We will need to another advanced tool inorder to attack the resident CLB driver.

    STEP 01

    Please visit this webpage for instructions for downloading ComboFix to your
    DESKTOP
    :

    Please ensure you read this guide carefully and install the Recovery Console first.

    NOTE!!:
    You must save and run
    ComboFix.exe
    on your DESKTOP and not from any other folder.
    Also,
    DO NOT
    click the mouse or launch any other applications while this is running or it may stall the program

    Additional links to download the tool:

    http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

    Note:
    The
    Windows Recovery Console
    will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click
      Yes
      to allow ComboFix to continue scanning for malware.

    • When the tool is finished, it will produce a report for you.

    • Please post the
      C:\ComboFix.txt
      along with a
      new HijackThis log
      so we may continue cleaning the system.

  7. Well it looks like the reinstall got MBAM working as it should and your HJT is showing clean now B)

    Are you experiencing any more issue's ?

    I will add that running 2 AV's in realtime will cause possible performance hit on your computer as they will be both chewing over the same operations and potential conflicts can occur as a result.

  8. Hi ya,

    I'm a litlle bit concerned that MBAM dose'nt appear to be romving thoes listed files/registry values that it is detecting.

    There is nothing in the HJT log that is suggesting that they being reloaded by malware so i'm wondering whether you have a corrupted install of MBAM.

    Can you please do the following actions.

    Please uninstall MBAM then Reboot.

    Next install MBAM again and update the definitions file then Reboot immediately.

    Next run MBAM Full scan and then make sure you let it remove all that it finds and then reboot.

    Next run MBAM quickscan and post back the log generated from that scan.

    Next up rename hijackthis.exe to qwerty.exe and then run it.

    Please post back the new HJT log.

    Thanks in advance.

  9. Here goes,

    Please open HiJackThis and place a check(Tick) next to the following lines only.

    F3 - REG:win.ini: run="C:\Documents and Settings\Owner\Application Data\Adobe\Manager.exe"

    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

    O2 - BHO: Gamevance - {0ED403E8-470A-4a8a-85A4-D7688CFE39A3} - (no file)

    O2 - BHO: &Research - {D263FA6D-84CC-48A8-9AF6-C664362B7A5B}-C:\WINDOWS\system32\winconfig.dll

    O4 - HKCU\..\Run: [63B168450941A5A7CAD69F98AFA7FE7B] C:\Program Files\A360\av360.exe

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

    O20 - Winlogon Notify: crypt - C:\WINDOWS\

    Next reboot and run 2nd MBAM quick scan.If MBAM finds anymore stuff please post back the log and finally a fresh HJT log.

  10. Hi,

    You only need to kill av360.exe and not anything else.

    When you have process explorer open,look to the left of the screen and point your mouse at the av360.exe listing.Right click on your mouse whilst hovering over it an select kill process.

    There will then be a prompt box to confirm you want to kill that process,just select yes!

    This will allow MBAM to run and then it's game over for av360 B)

  11. Hi all,

    The reason why we are flagging these Registry values is because we are seeing a massive increase in the number of malware infections that are disabling the securit center functions during the course of compromising the victim machine.

    The detections act as a repair to restore(enable) security center settings in that scenario B)

    If you have knowingly disabled these settings or one of your installed softwares have disabled them then you will need to add to the MBAM ignore list or we will keep flagging and trying to re-enable them.

    Unfortunetly MBAM has no way of knowing whether the security centre functions were disabled by malware or whether the end user has consented(wants them) to be switched off.

    hth

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.