Jump to content

Fatdcuk

Staff
  • Content Count

    20,723
  • Joined

Posts posted by Fatdcuk


  1. OK well keygens are tools that are run inorder to generate a serial to activate pay for software.

    In short whoever dose'nt want to pay for that software so they will have downloaded the keygen for it and this is how the pc has got infected in the first place.

    Kid's bless 'em lol

    Right now's a good time to steer you towards one of our expert helpers in the HJT forum.

    Please read the topics stickied to the top of the following forum and start a fresh topic in that part of the forum.

    http://www.malwarebytes.org/forums/index.php?showforum=7

    All the best!


  2. Hi and welcome to the MBAM forums B)

    We need to get that DB updated as were currently on 1856.

    There is obviously something blocking access to our servers so you cannot update.

    At the moment 1 of the current infections performing that function is CLB driver so as diagnostic can you do the walkthrough in the below link and post back to advise if we have found the culprit ?

    http://www.malwarebytes.org/forums/index.php?showtopic=12709


  3. Hi all,

    Symptons are very obvious. Fake alert screens,fake security software activity and browser Hijacking.

    av360.jpg

    Recent variants of av360 have been blocking MBAM from running and subsequently preventing the software from detecting and removing it :)

    It dose this by terminating the process(mbam.exe) when it is loaded into memory inorder to run.

    Inorder to get MBAM to run we will need to turn the tables on av360 and kill's its active process first!

    This can be done very easily by the following walkthrough :)

    Download ProcessExplorer and install.Please use only as directed*

    http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

    We need to identify which is the av360 entry....very easy av360.exe is a give away and will be listed under Explorer.exe launched applications in Process Explorer main window.

    Next up goto the entry av360.exe in Process Explorer and right click with your mouse on it.

    Select kill process and then confirm(yes).

    av360processexplorer.jpg

    Finally update and run quickscan with MBAM and av360 will be no more :)

    We hope our application has helped you eradicate this malicious Malware.

    If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.

    Disclaimer to the more learned readers-

    Taskmanager can also be used to terminate av360.exe but in some of the installs of this rogue then TM has been disabled by the infection.Hence why the use of imported Process Explorer B)


  4. I seem to be free and clear of that nasty trojan. Now I just have to update Windows because I even tried reinstalling XP. Even that didn't work. Nastiest little bugger I have ever come across. Thanks again for your help Fatdcuk.

    FYI running a repair install of the OS is not a fix for most malwares in its own right.

    The repair install will address corruptions within the OS and its operating files but it wont address any other softwares and malware code that is currently installed on the PC.

    Hence why CLB survived the Repair install as it is not part of the OS.

    That said nothing will survive the full blooded reformat and reinstall but thankfully this is not necessary for this infection B)

    All the best!


  5. MBAM does not detect the file anymore !!!

    maby detection was removed with the update !!

    the file is still in C:/windows/system32 ..

    detection for the file was removed and MBAM no longer detect the file !!

    should I delete it manually ?

    if so, make shore to add it back to the detection file.

    what does MD5 mean anyway?

    thanx,

    Hi,

    In laymans terms it is a tool for indexing files by generating a value unique to that particular file.

    Here's the Wiki for MD5

    http://en.wikipedia.org/wiki/MD5

    If you look at the bottom of the virustotal report amongst other data there will always be a MD5 generated value for the uploaded file.

    As far as the target file goes then it is safe to manually delete it if you know how too and it was removed from being flagged by MBAM until we could investigate it further and determine whether it was f/p or not B)


  6. Thanks for the feedback all and glad that it worked as expected B)

    I will say that that the CLB driver is also responsible for blocking access to various blacklisted sites(security softwares/fix's) and also prevents some installed softwares from updating.

    But as you have found kill the driver and then its business as usual for installing/updating and running of tools

    and as said before MBAM will install,update and run and will clean out the remainder of the infection :)


  7. Many thanks for uploading your sample :)

    I can confirm that this is a genuine detection by MBAM and not a F/P after prelimary analysis.

    Here's some handy pointers since the file has faked Microsoft information attached to it and at first glance would appear genuine.

    VirusTotal Report was inconclusive as only PX flagged the file but simple google search of MD5 returns 0 results.

    http://www.google.co.uk/search?sourceid=na...2e9cdadd8febc10

    This is totally irregular for a Microsoft genuine file and the first clear indicator all is not what it seems B)


  8. Hi all,

    You have the CLB rootkit installed that is blacklisting many security tools including MBAM as your all finding.

    Inorder to get the fixing tools to load and work then the rootkit driver has to be located and killed.

    No small feat when it is intentionally being hidden by design and not viewable by traditional method/tools but it can be done :P

    Here is my quick fix guide to locating and killing the CLB driver(.sys) file that is underpinning the infection and blocking the cleanup tools from running.

    Download the following tool and only use as directed!

    http://rootrepeal.googlepages.com/

    Install RootRepeal and select *File* scan only.

    post-1856-1237161793_thumb.jpg

    When scan has completed there will be a list of files generated.Some will be ok(legitimate files) but the bulk will be related to the Rootkit and it's hidden payload of files.

    post-1856-1237161865_thumb.jpg

    You will need to identify which is the CLB driver and here's how.

    This is not as difficult as it appears because it will be 1 of (if not) the only file listed with a .sys extension.

    It will also carry one of the following prefix's in its filename followed by random digits + .sys extension.

    TDSS

    Seneka

    GAOPDX

    UAC

    **in my screenshot it is the file UACewsflctd.sys that is the Rootkit driver.

    UAC prefix + random characters in this case= ewsflctd and .sys extension

    Once you have identified the CLB driver then use your mouse to highlight it in the Rootrepeal window.

    Next right mouse click on it and select *wipe file* option only then immediately reboot the computer.

    You will only need to attack the CLB driver as the rest once no longer being protected are easy pickings for cleanup tools :P

    Next install and update MBAM and run quick scan.

    If you are not 100% confident in identifying the CLB driver then feel free to use Rootrepeal to generate an output log for me to review and i will advise :P

    To do this goto report tab then select scan.

    Configure as below and when report(.txt file) is generated then copy and paste contents of text file into a reply post.

    post-1856-1237162712_thumb.jpg

    post-1856-1237161793_thumb.jpg

    post-1856-1237161865_thumb.jpg

    post-1856-1237162712_thumb.jpg


  9. Hi,

    These detections are as a result of MBAM adding them to the database recently and hence why they showed up after an updated scan.

    We have seen many malware infections recently directly swithing off(disabling)the security centre options.Because of this it was decided to alert the end user if those settings are disabled and also if needed during course of cleaning up an infected pc then to re-enable the security centre.

    Unfortunetly the software has no way of telling whether it was malware or end user that has disabled these settings.

    So if you have knowingly disabled these options in security centre then please add to ignore list within MBAM scan so you will not receive repeat alerts.

    hth :P


  10. Hi,

    If you go into MBAM and go to quarantine option then any MBAM removed files after scanning will be held there in quarantine and can be restored from there.

    If however you have deleted files from the quarantine zone then the files are long gone and nothing MBAM can do to recover them as you have instructed it to delete them.


  11. Is this file part of my OS?

    is it infected? :P

    can I clean the file without deleting it? :P

    it's probably False positive because me Avira Antivir say it's clean.. :P

    any help is welcomed ... thank you :)

    P.S. I did run dev mod as suggested and attached the Log .. hope you can help me with that B)

    Always a good idea with any suspect files to upload the suspect file to VirusTotal service for 39 second opinions.

    http://www.virustotal.com

    Can you please copy and paste a link to the scan report page generated.

    Thanks in advance :)

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.