Jump to content

Recommended Posts

  • 3 weeks later...
  • 3 weeks later...
  • Root Admin

Please go ahead and run through the following steps and post back the logs when ready.

STEP 03
Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

STEP 04
Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus



STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.



STEP 06
Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.


STEP 07
button_eos.gif

Please go here to run the online antivirus scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

    [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.



STEP 08
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.


 

Link to post
Share on other sites

Hi again and thanks

Got an error code when I tried to run mbar,and JRT

CODE 0XC0000005. ADDRESS 0X7751fab3

Execution data 0x0000001

0x0000000

Also much of my desktop disappeared

This has not happened before

I note that earlier log mentions drives or partitions with Xp boot code,that is something I know I should not have

Also on checking permissions in Process Explorer I see that system files such as smss.exe and csrss.exe,are set,

To a completely different way to the way they should be,almost like they are referencing a completely different system

This is a standalone win 7 Desktop not currently connected to the internet

Anyway,I think I am going to give up at this stage,the machine is flakey enough,perhaps I am risking making it worse,would love to know what sort of thing has infected it,even if we can't fix it!

Many thanks again

Link to post
Share on other sites

  • Root Admin

Well we don't have to give up unless you want to. Simply bypass the anti-rootkit scanner for now and proceed and run the other scanners and post back their logs when ready.

 

In most cases we can fix the computer but some take longer than others. Every once in a while though its futile to try to fix but if we get there I'll let you know.

Link to post
Share on other sites

Adw and MBAM logs show nothing,and I can't use an online scanner.so will give up for now but would like to check a couple of things if possible.

The computer frequently describes the path to different locations as \\?\C:\ is this normal?

Also there is quite a lot of foreign text in the registry and other places,also encrypted data in the registry,I don't use encryption

Also I am somehow joined to a WORKGROUP,I would like to know how that happens and why

I am the sole user of the computer,no one else has access.

Many thanks,hope you can help

Link to post
Share on other sites

  • Root Admin

Code obfuscation in the registry is normal as is some amounts of encryption and alone is not a sign of an infection.

 

All computers are either joined to a workroup or a domain and is normal

 

If you really want a clean system then backing up your data and the FDISK, FORMAT, and reinstall Windows is the best method of a true safe clean up.

 

Again though, please let me know what you'd like to do.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.