Jump to content

Fatdcuk

Staff
  • Content Count

    20,723
  • Joined

Posts posted by Fatdcuk


  1. The new Defs are not in that DB.

    They will be in 1 of the next 2 updates(1827 or 1828).Not sure which one as i do not update the main DB which feeds updates to all MBAM user's.

    You will know when they have been added as they will detect and remove the driver that you have uploaded and the rest of the infection will be dead once and for all.


  2. i will post here the file itself? can it not cause errors if i remove that file from my PC

    If its loaded then it ill not allow you to delete it by traditional methods but you will be able to copy& paste it into another location e.g My Documents and then zip/compress that copy to upload.

    The reason i ask for uploading is that if it is the culprit i can then analysise it and update MBAM defs inorder to remove it from your PC and any other unfortunate folks that also have it on their pc's.

    Also if its a legit file then you dont want to be removing it....

    Thanks in advance.


  3. Hi ya,

    + omkdsmci Universal Serial Bus Camera Driver (Not verified) Microsoft Corporation c:\windows\system32\drivers\omkdsmci.sys

    I strongly suspect this to be the culprit for restoring the infection but will need to get my hands on a copy to confirm.

    If you are fammiliar with searching folders for files etc could you please locate omkdsmci.sys

    Please zip it up and upload to a new topic in the following forum.

    http://www.malwarebytes.org/forums/index.php?showforum=55

    Thanks in advance.


  4. Ok the MBAM log is identifying that you have Rootkit Sentinel variant onboard.

    There is another element at play that is reloading the whole infection and hence why MBAM is failing to complete the cleanup.

    Based on previous encounters with this infection then there is going to be another driver(.sys) file doing the restoration job.

    Unfortunetly HJT is very limited so if possible can you use the following daignostic tool to assist me in catching the culprit.

    Download and install Autoruns.

    http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx

    When you first run it it will generate an extensive listing and the word "Ready" will appear in the bottom left of the sofware GUI.

    At this point goto options and place check(tick) against verify coded signatures and hide Microsoft & windows entries.Next press F5 button to refresh.

    Once Ready status by software is gained then goto File option.Select "Export as" and save output file as Autoruns.txt

    Can you please then copy and paste the contents of that text file into your next reply for analysis.

    Thanks in advance.


  5. Hi ya,

    Yes unfortunetly seems to be our problem as the better we get at beating the bad guys the more they single us out for special attention.

    With reguards any scan stalling for any software,best practices are often ignored and sometimes will create some stalling scenario's in themselves.

    Here's a checklist of what i would highly reccomend to anyone scanning an infected computer.

    1)Disconnect from the internet to prevent malware from updating as the system is being scanned.

    2)Exit all applications wherever possible with the exception of the scanning software.

    3)Dont use the computer whilst a scan is in operation.For example cease all other activities on the machine eg no games,no media,no file browsing and certainly no other scanning software running.

    Once a scan has started just walk away and pop the kettle on.When you check back after a few mins if the scan appears to have stalled(dont do anything!!!!) give the system the benefit of say 30mins too sort the issue itself.

    If its scanning normaly then all good,if you get to the hour mark and its still frozen at the same point then its time to exit the application and seek further advice/help.

    During this whole process of scanning if you follow my suggestions to the letter then if you see software not responding message....you have'nt followed my instructions B)

    How do i know this...is easy because inorder for the software to generate a not responding error message then you will have touched something on your computer such as clicking on something with your mouse etc

    hth


  6. Hi ya,

    The file uploaded(.job) is task scheduler file pointing to now not present file(pmnlkljJ.dll)

    It is safe to manually remove this scheduled task file form the Tasks folder just to clean it up.

    Ok we are fast running out of options now because there appears to be no active malware content being thrown up by the diagnostic tools.This leads me to believe it might be related to software setting or even 3rd party installed software.

    That said i never like admitting defeat so will attempt to see if we can remedy the issue so a couple more routines to run to see if issue's persist.

    1. Locate in system32 folder and run sigverif.exe

    Report back any discrepancies on digital signartures if present.

    2.Uninstall Firefox,Reboot and completely clear your TIFS and Cookie folder on all accounts.

    C-Cleaner should be able todo this for you if your not doing it manually but do this this for all accounts on the PC.

    Next reinstall FireFox and see if issue's persist.

    Thanks in advance.


  7. Hi :)

    Will Malwarebytes remove the AntiVirus 360 infection?

    If not, is there a relatively simple explanation of why MBAM cannot do the job?

    Thanks

    Dave

    With Reguards Av360 we have IPH rules that will block its install in realtime for our customers that have paid for Realtime protection.

    At several points during its install process our protection module will offer the chance to terminate various process's which will block its install even if the initial installer file is not known to our database.

    If av360 is already installed then depending on which variant of it you have installed will determine the outcome scenario.Our heurististic's will detect and remove all current AV360 variants if MBAM is able to run.

    The only problem being is some recent versions will block MBAM(&other tools) from running on the infected system.In this case it is executable file called av360.exe when loaded into memory terminates other tools. so if this process is terminated via task manager or like tool then MBAM will rip it off the infected system everytime :)

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.