Jump to content

MBR infected ? not sure ; I think so

jecjcc

By jecjcc
in Resolved Malware Removal Logs

 Share

Recommended Posts

jecjcc

jecjcc

Posted
Posted

Hi;  hope I've followed all your protocols  for this site.

I just installed a new SSHD 500 Gb ; installed Win 7 64 bit on my K53E Asus laptop. Did reinstall from Asus  disks successfully. Installed a few favorite programs- VLC ,Malwarebytes, ASC7,AVG free,Trans.qt, . Did some surfing, torrenting etc.and everything seemed fine for a couple of days. I was experiencing Windows Explorer " stopped responding" though . This is not completely new to me from previous times , but now it was getting worse  so I started to explore  the issue on the web and read about it wherever I could. I also decided to explore  different virus protection etc. I found and tried Vipre,  ; Bit Defender installed an extension scanner  from just trying it once. I left it  there. Next  I went to Source Forge  to see what open source has.I tried Clamwin, Eset, Moon Secure Antivirus, Avira free . When I ran Clamwin I noticed it wasn't able to open a whole bunch of C:/ files. Tried Eset. Same thing.   Copied and googled partial log from Winclam and found that it looked like I might  have an MBR problem. Tried Cce and a couple of other boot scanners with no success. Malwarebytes also returned nothing  for me. The Moon app was prevented from working  at first,  but finally did , but found nothing either. One of them, I think Cce found a file and  I deleted it. I didn't save anything though. Something like  raeeh. ; sorry.   All this time  things are starting to happen too; gets worse.   browser hung up some ; much slower .Other errors.  Then I came across your forum. I really will be lucky  if I can even do what you've asked ;that's how much I don't know.                   attach.txt

              dds.txt                thank you very much

 

P.S. sorry about the no tag ; couldn't find them

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello and :welcome:

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Link to post
Share on other sites
jecjcc

jecjcc

Posted
  • Author
Posted

Hi; hope you and yours are well. Thanks for all your help.

 

I'm sending 2 copies of the logs. If they're not the same I think you should work from  the 2nd one. If you want an explanation  let me know.    

 

 

 

       #1           ComboFix.txt

                                                        

 

 

        #2          ComboFix.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please go ahead and run through the following steps and post back the logs when ready.

STEP 03

Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
STEP 04

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus
STEP 05

Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

STEP 06

button_eos.gif

Please go here to run the online antivirus scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
STEP 07

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
Link to post
Share on other sites
jecjcc

jecjcc

Posted
  • Author
Posted

OK  .  Here are both rootkit files and  the jrt log. For both rootkit scans nothing showed up to be cleaned.   ??

 

 Also , the event logs for the jrt scan were not saved. Is this normal?

 

 

mbar-log-2013-11-13 (02-15-48).txt

                                                                    

 mbar-log-2013-11-13 (02-33-03).txt

                                                                    

 JRT.txt

Link to post
Share on other sites
jecjcc

jecjcc

Posted
  • Author
Posted

It's confusing . The machine seems to be doing better. However when I ran ESET scanner I didn't clean what it found. I was waiting for your go ahead.  Also were you able to determine anything form the  png. I used?   When I originally read an article about MBR virus' and my symptoms fit I had hoped to be able to run boot  rootkit scans  but when I tried Comodo boot rescue disk I couldn't enable any network connections so it couldn't update so I failed with that.

 So far I tried to follow your instructions but I don't know what we've done that would have cleaned anything . Have we? So , I'm not sure something  isn't still hiding in MBR.

BTW...   I'm convinced now , with all the help etc. from MWB to get all your latest  PRO edition products. Also I downloaded about 20 tools from Bleepingcomputer.com  ..   Probably won't know how to use all of them . Slowly  learning  a little bit . KNOW TO BE REALLY CAREFUL. Mostly observational  for me as opposed to taking any actions.

So I guess I should run ESET again and clean the 3 items this time? 

Do we have discussions on this forum?

Link to post
Share on other sites
jecjcc

jecjcc

Posted
  • Author
Posted

To answer your question : I haven't been going out on the web or doing much of anything while we've been working on this stuff to be able to tell of any problems . I t does seem to be doing better generally.   Not hanging up or not responding . Speed is improved. My desire is to make sure all is good and then reinstall again. What do you think?

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The items found by ESET are not really much of a threat they're being flagged because they add adware type programs as part of the installer, otherwise known as PUP (Possibly Unwanted Programs).  You can delete them or if you do use them make sure to choose Custom install and uncheck any add-on programs or features.

 

 

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.



If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.
 
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
It will also reset your System Restore by flushing out previous restore points and create a new restore point.
It will also remove all the backups our tools may have created.

Uninstall ComboFix (if used):

  • Turn off all active protection software including your antivirus.
  • Push the "Windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • Please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.

CF-Uninstall.png

 
Remove the rest of the tools used:
 
Please download
OTCleanIt
and save it to your Desktop. This tool will remove all the tools we used to clean your pc.

  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not go ahead and delete it by yourself.
  • If asked to restart the computer, please do so


Note:

If you receive a warning from your firewall or other security programs regarding
OTCleanIt
attempting to contact the internet, please allow it to do so.


AdwCleaner Removal:
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Uninstall
  • Confirm with Yes

ESET antivirus Removal:
  • This tool can be uninstalled via the Control Panel, Programs, Uninstall


 
 
If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.


If you're not currently using Malwarebytes PRO then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept