-
Posts
20,705 -
Joined
Content Type
Events
Profiles
Forums
Posts posted by Fatdcuk
-
-
Hi ya and welcome to the MBAM forums B)
Please use the following walkthrough as a fix and then post back new MBAM log+ HJT log after completing that fix.
http://www.malwarebytes.org/forums/index.php?showtopic=12713
-
Hi please use the following wlakthrough to see if you have CLB driver present and take appropriate action if it is.
http://www.malwarebytes.org/forums/index.php?showtopic=12709
-
Hi and welcome to the MBAM forums B)
Please try running a quick scan from safemode to see if that resolves the issue.
http://www.pchell.com/support/safemode.shtml
It is importent whilst the software is scanning that you cease other activities at the computer as sometimes a conflict could be occuring and be the cause of the issue.
-
Hi please use the following walkthrough as a guide.
http://www.malwarebytes.org/forums/index.php?showtopic=12709
It is very importent that after rebooting the system you first update MBAM before running the quickscan as your definitions database is very old (Database version: 1749)
We are currently on Database 1856
Please post back the MBAM log generated from that quick scan +new HJT log B)
-
OK well keygens are tools that are run inorder to generate a serial to activate pay for software.
In short whoever dose'nt want to pay for that software so they will have downloaded the keygen for it and this is how the pc has got infected in the first place.
Kid's bless 'em lol
Right now's a good time to steer you towards one of our expert helpers in the HJT forum.
Please read the topics stickied to the top of the following forum and start a fresh topic in that part of the forum.
http://www.malwarebytes.org/forums/index.php?showforum=7
All the best!
-
Ok then lets see what whether GMER will load,
http://www2.gmer.net/tmp/gmer.exe
IF CLB is present then it will show up in Rootkit activity Tab on opening.
BTW i hope you learn your lesson with messing about with Keygens...sooner or later they will sting ya B)
-
Hi and welcome to the MBAM forums B)
We need to get that DB updated as were currently on 1856.
There is obviously something blocking access to our servers so you cannot update.
At the moment 1 of the current infections performing that function is CLB driver so as diagnostic can you do the walkthrough in the below link and post back to advise if we have found the culprit ?
http://www.malwarebytes.org/forums/index.php?showtopic=12709
-
Hi and welcome to the MBAM forums B)
SAS is not taking out the whole infection and hence why it is restoriing itself.
Try the following walkthrough for to see if MBAM can kill the infection once and for all
http://www.malwarebytes.org/forums/index.php?showtopic=12709
-
Hi,
Yes since you consented to them being switched off then its best to add to the MBAM ignore list so you are not being repeatedly picked up by subsequent MBAM scans.
-
Hi all,
Symptons are very obvious. Fake alert screens,fake security software activity and browser Hijacking.
Recent variants of av360 have been blocking MBAM from running and subsequently preventing the software from detecting and removing it
It dose this by terminating the process(mbam.exe) when it is loaded into memory inorder to run.
Inorder to get MBAM to run we will need to turn the tables on av360 and kill's its active process first!
This can be done very easily by the following walkthrough
Download ProcessExplorer and install.Please use only as directed*
http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx
We need to identify which is the av360 entry....very easy av360.exe is a give away and will be listed under Explorer.exe launched applications in Process Explorer main window.
Next up goto the entry av360.exe in Process Explorer and right click with your mouse on it.
Select kill process and then confirm(yes).
Finally update and run quickscan with MBAM and av360 will be no more
We hope our application has helped you eradicate this malicious Malware.
If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.
Disclaimer to the more learned readers-
Taskmanager can also be used to terminate av360.exe but in some of the installs of this rogue then TM has been disabled by the infection.Hence why the use of imported Process Explorer B)
-
Hi,
Please follow the instruction in the following canned fix to see if it helps solve your issue B)
http://www.malwarebytes.org/forums/index.php?showtopic=12709
-
Hi,
Your good to go as if the CLB driver was still active then MBAM would'nt run.
I know that once MBAM is able to work its magic that we have got this infection well and truely covered from all directions by special Heuiristic rules B)
-
I seem to be free and clear of that nasty trojan. Now I just have to update Windows because I even tried reinstalling XP. Even that didn't work. Nastiest little bugger I have ever come across. Thanks again for your help Fatdcuk.
FYI running a repair install of the OS is not a fix for most malwares in its own right.
The repair install will address corruptions within the OS and its operating files but it wont address any other softwares and malware code that is currently installed on the PC.
Hence why CLB survived the Repair install as it is not part of the OS.
That said nothing will survive the full blooded reformat and reinstall but thankfully this is not necessary for this infection B)
All the best!
-
MBAM does not detect the file anymore !!!
maby detection was removed with the update !!
the file is still in C:/windows/system32 ..
detection for the file was removed and MBAM no longer detect the file !!
should I delete it manually ?
if so, make shore to add it back to the detection file.
what does MD5 mean anyway?
thanx,
Hi,
In laymans terms it is a tool for indexing files by generating a value unique to that particular file.
Here's the Wiki for MD5
http://en.wikipedia.org/wiki/MD5
If you look at the bottom of the virustotal report amongst other data there will always be a MD5 generated value for the uploaded file.
As far as the target file goes then it is safe to manually delete it if you know how too and it was removed from being flagged by MBAM until we could investigate it further and determine whether it was f/p or not B)
-
Thanks for the feedback all and glad that it worked as expected B)
I will say that that the CLB driver is also responsible for blocking access to various blacklisted sites(security softwares/fix's) and also prevents some installed softwares from updating.
But as you have found kill the driver and then its business as usual for installing/updating and running of tools
and as said before MBAM will install,update and run and will clean out the remainder of the infection
-
Many thanks for uploading your sample
I can confirm that this is a genuine detection by MBAM and not a F/P after prelimary analysis.
Here's some handy pointers since the file has faked Microsoft information attached to it and at first glance would appear genuine.
VirusTotal Report was inconclusive as only PX flagged the file but simple google search of MD5 returns 0 results.
http://www.google.co.uk/search?sourceid=na...2e9cdadd8febc10
This is totally irregular for a Microsoft genuine file and the first clear indicator all is not what it seems B)
-
Hi all,
You have the CLB rootkit installed that is blacklisting many security tools including MBAM as your all finding.
Inorder to get the fixing tools to load and work then the rootkit driver has to be located and killed.
No small feat when it is intentionally being hidden by design and not viewable by traditional method/tools but it can be done
Here is my quick fix guide to locating and killing the CLB driver(.sys) file that is underpinning the infection and blocking the cleanup tools from running.
Download the following tool and only use as directed!
http://rootrepeal.googlepages.com/
Install RootRepeal and select *File* scan only.
When scan has completed there will be a list of files generated.Some will be ok(legitimate files) but the bulk will be related to the Rootkit and it's hidden payload of files.
You will need to identify which is the CLB driver and here's how.
This is not as difficult as it appears because it will be 1 of (if not) the only file listed with a .sys extension.
It will also carry one of the following prefix's in its filename followed by random digits + .sys extension.
TDSS
Seneka
GAOPDX
UAC
**in my screenshot it is the file UACewsflctd.sys that is the Rootkit driver.
UAC prefix + random characters in this case= ewsflctd and .sys extension
Once you have identified the CLB driver then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only then immediately reboot the computer.
You will only need to attack the CLB driver as the rest once no longer being protected are easy pickings for cleanup tools
Next install and update MBAM and run quick scan.
If you are not 100% confident in identifying the CLB driver then feel free to use Rootrepeal to generate an output log for me to review and i will advise
To do this goto report tab then select scan.
Configure as below and when report(.txt file) is generated then copy and paste contents of text file into a reply post.
-
Hi,
These detections are as a result of MBAM adding them to the database recently and hence why they showed up after an updated scan.
We have seen many malware infections recently directly swithing off(disabling)the security centre options.Because of this it was decided to alert the end user if those settings are disabled and also if needed during course of cleaning up an infected pc then to re-enable the security centre.
Unfortunetly the software has no way of telling whether it was malware or end user that has disabled these settings.
So if you have knowingly disabled these options in security centre then please add to ignore list within MBAM scan so you will not receive repeat alerts.
hth
-
Hi,
Could you upload your copy of winhost32.exe to the following Forum for further analysis.
You will need to zip(compress) it for it to upload.
http://www.malwarebytes.org/forums/index.php?showforum=55
PX will are hitting the file on its MD5 checksum alone and not a heuristic flag.
Thanks in advance
-
Hi,
If you go into MBAM and go to quarantine option then any MBAM removed files after scanning will be held there in quarantine and can be restored from there.
If however you have deleted files from the quarantine zone then the files are long gone and nothing MBAM can do to recover them as you have instructed it to delete them.
-
Hi ya and welcome to the MBAM forums
These are confirmed F/P's and a recent database update has addressed this issue.
If you have them quarantined it is safe to restore thoes detections.
-
Is this file part of my OS?
is it infected?
can I clean the file without deleting it?
it's probably False positive because me Avira Antivir say it's clean..
any help is welcomed ... thank you
P.S. I did run dev mod as suggested and attached the Log .. hope you can help me with that B)
Always a good idea with any suspect files to upload the suspect file to VirusTotal service for 39 second opinions.
Can you please copy and paste a link to the scan report page generated.
Thanks in advance
-
Hi ya,
Those are oprhaned values from an Adware infection but are not F/p's.
They are safe to delete from quarantine
-
Ok thanks for the update,
Please post back again if MBAM still makes the same flag on the same file again
Won't Run
in Resolved Malware Removal Logs
Posted
Hi ya and welcome to the MBAM forums,
Can you please follow the instructions in the following walkthrough to see if you have CLB driver present and take the appropriate action.
http://www.malwarebytes.org/forums/index.php?showtopic=12709
Please post back fresh HJT log and MBAM log if available B)