Jump to content

Jintan

Experts
  • Content Count

    143
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Jintan

  • Rank
    Advanced Member
  1. Always glad to behelpful here. Just a few changes now, and remove what our work added there. Actually one of them will rehide those file settings. AntiVir has a good reputation, so should be just fine to reinstall. The logs show you have slightly outdated versions of vulnerable programs, so Go to each of these sites and update to the latest version (keep your eyes open - they often slide in "opportunities" for things like Google, or McAfee's scanner): http://www.adobe.com/downloads/ (For Adobe Reader and Flash Player - uncheck the useless McAfee scan, if offered) http://java.com/en/download/ma
  2. Habit from other places I assist. Instead of OTL, just download OTC.exe by OldTimer to your desktop. This will help by automatically removing some of the tools we used. Just click OTC.exe, then click CleanUp, and select Yes. When it finishes removing some of the tools and files we used there just agree to the reboot, and OTC should self-delete once the system has rebooted (if not just delete the OTC.exe file).
  3. System looks clean, and also looks like what we were seeking as hidden malware was actually AntiVir activities. How is everything running now please?
  4. We have been hunting an AntiVir chimera? I will have to install a copy and verify all that myself. Please do not reinstall any other security software until we complete our tasks here. Go here and download Mischel's MBR Backup to your desktop, then click MBRBackup.exe to start the utility. Click Save MBR, and save that file to location you can easily return to later. Then close MBR Backup. Zip a copy and email that saved to me as an attachment please. The file is always prenamed MBR_year_month_day.bin. MBR_2011_05_27.bin for example. -------------- Open and update Malwarebytes. * If an upd
  5. No, that won't be a problem. Just scratching my head that I got the email notifications, but didn't repond here. Looks pretty good. Some updates to do. May want to uninstall Windows Desktop Search 3.01. More a slowness maker than a benefit on XP systems. The logs show you have slightly outdated versions of vulnerable programs, so Go to each of these sites and update to the latest version (keep your eyes open - they often slide in "opportunities" for things like Google, or McAfee's scanner): http://www.adobe.com/downloads/ (For Adobe Reader and Flash Player - uncheck the useless McAfee scan, if
  6. Some remnant services we need to remove, but just no ID elsewise. Is that a free version of AntiVir, that you can uninstall to help clear up what Gmer shows? I am not familiar with it's current product enough to spot what part of the scan chatter belongs to it, or even if it now protects the MBR in some way. If so, do the following, then uninstall AntiVir, reboot and run a regular Gmer scan again. If you haven't yet, go ahead and uninstall Vongo, which is no longer an active program. Go to Start - Run, type cmd (and OK). Copy/paste each of the following at the prompt, Enter after each: sc dele
  7. I received the MBR copy, thanks. Looks like we're being snookered here - the mbr.dat file was just filled with empty spaces. Suggests maybe some watcher driver being loaded to block and distract things. Go ahead and run ComboFix again, but also do the following after that: Open Gmer again. Once it has completed it's opening scan, this time just right click in the white space in the display and select Options - Only non MS files. Then click Scan and allow Gmer to run a different scan. Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document.
  8. Shows the infected MBR in both scan logs, and Gmer sure showing some pretty suspect other activity. Wonder why what is there seems to be slipping past TDSSKiller's checks. We could replace the MBR with a Windows 7 default copy, but there is always a concern that will then have you lose access to any factory reinstall partition - press some key sequence during a reboot, and access a location that will then just return the system to factory state. Do you know if you system has that? If the malware has altered the MBR, then that access is already lost, and returning a default MBR would then serve
  9. Curious results so far, though hoping ComboFix catching and replacing a bogus .dll file will have changed something. Since I have the info at hand, take note of the following, to choose to uninstall later once we are clear of this rootkit nonsense: Vongo - Pre-installed by HP, now defunct. Netscape Browser (remove only) - Same - pre-installed, no longer in use. And these are resource wasters if you do not actually use them: Yahoo! Toolbar for Internet Explorer Yahoo! Toolbar Bing Bar ------------- Download MBRCheck.exe to your Desktop. Run the application. If no infection is found, it will pro
  10. In fact, also with HijackThis, select Do a system scan and save logfile. Use copy/paste and post that log back here for review as well please.
  11. Very good - looks and reads as all clean now. Let's check installed programs to see what changes we need to make there, then we'll start wrapping things up. Download HijackThis from Here. Then click on the downloaded file, and install HijackThis. In HijackThis, click Config - Misc Tools - Open Uninstall Manager. Click on Save List, then save that to a location you can locate again (such as the desktop). Copy/paste the contents of that back here please.
  12. Usually in Safe Mode, although there still are active services running, the antivirus' most active components are disabled. So let's see how you do with the most recent steps.
  13. Surely was not the results I expected in any way. Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive. Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may
  14. Really looking like bootkit MBR (MasterBoot Record) infection there. Please do everything you can to make sure AntiVir is completely disabled. Just to be sure, reboot to Safe Mode for this next step. At startup tap the F8 key about once per half-second, then select Safe Mode with Networking from the menu that will appear. Click here and download Kaspersky's TDSSKiller to your desktop, but as you download it, rename it to larry.com then click that file to run TDSSKiller. In the display that opens click Start scan. Once that completes, follow any prompts to act on anything it located, including
  15. Welcome to Malwarebytes brightjoy2, The logs don't quite reflect the likely bootkit/rootkit infection on that system, so let's take some different looks at things, then decide on repairs. To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types" To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.