MohamedShibl Posted October 26, 2015 ID:997970 Share Posted October 26, 2015 I Got a RAT Threat (remote access Trojan) definitionthat prevents me from opening antiviruses and i tried to uninstall malwarebytes and re install but it prevented me from redownloading it can any specialist help me please? Link to post Share on other sites More sharing options...
kevinf80 Posted October 26, 2015 ID:997979 Share Posted October 26, 2015 Hello and welcome,P2P/Piracy Warning:If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy. Download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8 users will be prompted about Windows SmartScreen protection - click More information and Run.) Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. Let me see those logs... Kevin... Link to post Share on other sites More sharing options...
MohamedShibl Posted October 26, 2015 Author ID:997980 Share Posted October 26, 2015 Hello and welcome,P2P/Piracy Warning: Download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8 users will be prompted about Windows SmartScreen protection - click More information and Run.)Press Scan button to run the tool....It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. Let me see those logs... Kevin...I Downloaded it but it self closes it too.. and about privacy piracy all my softwares are legal Link to post Share on other sites More sharing options...
kevinf80 Posted October 26, 2015 ID:997981 Share Posted October 26, 2015 The opening reply regarding P2P/Piracy warning is a standard forum reply, it is not suggesting anything, it is designed to make everyone aware of forum policy.... Follow the instructions in the following link to show hidden files:http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/ next d/l FRST again, this time rename to Find.com run the tool, select scan... Post the two produced logs... Link to post Share on other sites More sharing options...
MohamedShibl Posted October 26, 2015 Author ID:997984 Share Posted October 26, 2015 The opening reply regarding P2P/Piracy warning is a standard forum reply, it is not suggesting anything, it is designed to make everyone aware of forum policy.... Follow the instructions in the following link to show hidden files:http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/ next d/l FRST again, this time rename to Find.com run the tool, select scan... Post the two produced logs... I did unhide but still it sef closes programs what should i do ... Link to post Share on other sites More sharing options...
kevinf80 Posted October 26, 2015 ID:997985 Share Posted October 26, 2015 See if this will run... Download RKill from here: http://www.bleepingcomputer.com/download/rkill/There are three buttons to choose from with different names on, select the first one and save it to your desktop. Double-click on the Rkill desktop icon to run the tool. If using Vista or Windows 7/8, right-click on it and Run As Administrator. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply. If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time. If the tool does not run from any of the links provided, please let me know. Try FRST after that... Link to post Share on other sites More sharing options...
MohamedShibl Posted October 26, 2015 Author ID:997987 Share Posted October 26, 2015 See if this will run... Download RKill from here: http://www.bleepingcomputer.com/download/rkill/There are three buttons to choose from with different names on, select the first one and save it to your desktop. Double-click on the Rkill desktop icon to run the tool.If using Vista or Windows 7/8, right-click on it and Run As Administrator.A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.If the tool does not run from any of the links provided, please let me know. Try FRST after thaHere it's but still my antiviruses don't run Rkill.txt Link to post Share on other sites More sharing options...
kevinf80 Posted October 26, 2015 ID:997991 Share Posted October 26, 2015 Can you rename FRST and see if it will run? if not do you have Malwarebytes installed... Link to post Share on other sites More sharing options...
MohamedShibl Posted October 26, 2015 Author ID:997993 Share Posted October 26, 2015 Can you rename FRST and see if it will run? if not do you have Malwarebytes installed...Here Are they, and seem after renaming programs i can run them normally.Addition.txtFRST.txt Link to post Share on other sites More sharing options...
MohamedShibl Posted October 26, 2015 Author ID:997994 Share Posted October 26, 2015 Here Are they, and seem after renaming programs i can run them normally.But installers only not programs Link to post Share on other sites More sharing options...
MohamedShibl Posted October 26, 2015 Author ID:997995 Share Posted October 26, 2015 Do you recommnd using this? Link to post Share on other sites More sharing options...
kevinf80 Posted October 26, 2015 ID:997996 Share Posted October 26, 2015 Do Not run fixdamge yet, Navigate C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe Right click on mbam.exe rename to mbam.com Double click on the renamed entry, does Malwarebytes start up... Link to post Share on other sites More sharing options...
MohamedShibl Posted October 26, 2015 Author ID:997997 Share Posted October 26, 2015 Do Not run fixdamge yet, Navigate C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe Right click on mbam.exe rename to mbam.com Double click on the renamed entry, does Malwarebytes start up...it became like this.. doesn't open at all.. Link to post Share on other sites More sharing options...
kevinf80 Posted October 26, 2015 ID:997999 Share Posted October 26, 2015 Change back to mbam.exe.... Run the following: Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/ Again it will have to be renamed, try winlogon.comQuit all running programs. For Windows XP, double-click to start. For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run. Read and accept the EULA (End User Licene Agreement) Click Scan to scan the system. When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open. Close the program > Don't Fix anything! Link to post Share on other sites More sharing options...
MohamedShibl Posted October 26, 2015 Author ID:998000 Share Posted October 26, 2015 Change back to mbam.exe.... Run the following: Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/ Again it will have to be renamed, try winlogon.com Quit all running programs.For Windows XP, double-click to start.For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.Read and accept the EULA (End User Licene Agreement)Click Scan to scan the system.When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.Close the program > Don't Fix anything!Why not to fix anything..? it found some roots.. by the way the scan not done yet so.. when it's done i will put log Link to post Share on other sites More sharing options...
MohamedShibl Posted October 26, 2015 Author ID:998002 Share Posted October 26, 2015 Change back to mbam.exe.... Run the following: Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/ Again it will have to be renamed, try winlogon.com Quit all running programs.For Windows XP, double-click to start.For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.Read and accept the EULA (End User Licene Agreement)Click Scan to scan the system.When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.Close the program > Don't Fix anything! Here is it hope it helps (I Hid the files before doing it)Scan.txt Link to post Share on other sites More sharing options...
kevinf80 Posted October 26, 2015 ID:998004 Share Posted October 26, 2015 Double-click RogueKiller.exe to run again. (Vista/7/8 right-click and select Run as Administrator)When "initializing/pre-scan” completes press the Scan button, this may take a few minutes to complete.When the scan completes open the Registry tab and locate the following detections:[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> Found[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4113773215-1896902246-4033210979-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://login.hhtxnet.com/ -> Found [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4113773215-1896902246-4033210979-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://login.hhtxnet.com/ -> Found Make sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.Open the Files tab and locate the following detections:[suspicious.Path|Suspicious.Startup][File] C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk -> Found[suspicious.Path|Suspicious.Startup][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk -> Found[PUP][Folder] C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0} -> FoundMake sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.Hit the Delete button, when complete select "Report" in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. Next, Please download Malwarebytes Anti-Rootkit from hereUnzip the contents to a folder in a convenient location. Open the folder where the contents were unzipped and run mbar.exe Follow the instructions in the wizard to update and allow the program to scan your computer for threats. Click on the Cleanup button to remove any threats and reboot if prompted to do so. Wait while the system shuts down and the cleanup process is performed. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process. When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt Post those logs... Link to post Share on other sites More sharing options...
MohamedShibl Posted October 27, 2015 Author ID:998113 Share Posted October 27, 2015 Double-click RogueKiller.exe to run again. (Vista/7/8 right-click and select Run as Administrator)When "initializing/pre-scan” completes press the Scan button, this may take a few minutes to complete.When the scan completes open the Registry tab and locate the following detections:[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> Found[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4113773215-1896902246-4033210979-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://login.hhtxnet.com/ -> Found[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4113773215-1896902246-4033210979-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://login.hhtxnet.com/ -> FoundMake sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.Open the Files tab and locate the following detections:[suspicious.Path|Suspicious.Startup][File] C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk -> Found[suspicious.Path|Suspicious.Startup][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk -> Found[PUP][Folder] C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0} -> FoundMake sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.Hit the Delete button, when complete select "Report" in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. Next, Please download Malwarebytes Anti-Rootkit from here Unzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exeFollow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt Post those logs...Thank you Sir! Now i can run malware bytes and normal cleaning programs... Does that mean the threat got solved? ... and what about that thing should i delete it too? And about the logs i will post it when scans are done Link to post Share on other sites More sharing options...
MohamedShibl Posted October 27, 2015 Author ID:998117 Share Posted October 27, 2015 Double-click RogueKiller.exe to run again. (Vista/7/8 right-click and select Run as Administrator)When "initializing/pre-scan” completes press the Scan button, this may take a few minutes to complete.When the scan completes open the Registry tab and locate the following detections:[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> Found[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-4113773215-1896902246-4033210979-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://login.hhtxnet.com/ -> Found[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-4113773215-1896902246-4033210979-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://login.hhtxnet.com/ -> FoundMake sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.Open the Files tab and locate the following detections:[suspicious.Path|Suspicious.Startup][File] C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk -> Found[suspicious.Path|Suspicious.Startup][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk -> Found[PUP][Folder] C:\ProgramData\{BAF091CA-86C4-4627-ADA1-897E2621C1B0} -> FoundMake sure those entries are Checkmarked (ticked) also ensure that all other entries are not Checkmarked.Hit the Delete button, when complete select "Report" in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. Next, Please download Malwarebytes Anti-Rootkit from here Unzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exeFollow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt Post those logs...Here is the logs Export.txtmbar-log-2015-10-27 (15-28-19).txtsystem-log.txt Link to post Share on other sites More sharing options...
kevinf80 Posted October 27, 2015 ID:998152 Share Posted October 27, 2015 The thing you mention in the image is related to IOBit, I would recommend that you uninstall anything related to IOBit, Advanced System Care and anything else related to IOBit. Next, Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the two logs.... Post those logs, also let me know if there are any remaining issues or concerns.... Kevin... Link to post Share on other sites More sharing options...
MohamedShibl Posted October 27, 2015 Author ID:998159 Share Posted October 27, 2015 The thing you mention in the image is related to IOBit, I would recommend that you uninstall anything related to IOBit, Advanced System Care and anything else related to IOBit. Next, Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the two logs.... Post those logs, also let me know if there are any remaining issues or concerns.... Kevin... But why isn't Advanced system care a very good program..? And here is the logs ( First time i didn't checkmark addition so Here is both FRST(S)FRST.txtFRST (2).txtFRST (2).txtAddition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted October 27, 2015 ID:998183 Share Posted October 27, 2015 Advanced System Care and IOBit the same company, a few years back IOBit were accused of stealing Malwarebytes databases. The company is based in China so proving the issue was difficult... Read this thread: https://forums.malwarebytes.org/index.php?/topic/29681-iobit-steals-malwarebytes-intellectual-property/I still do not recommend IOBit or any associated programs, obviously the choice is yours...Those logs are clean, no obvious malware or infection. Continue to clean up... Download "Delfix by Xplode" and save it to your desktop.Or use the following if first link is down:"Delfix link mirror"Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administratorMake Sure the following items are checked: Remove disinfection tools Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settingsNow click on "Run" and wait patiently until the tool has completed.The tool will create a log when it has completed. We don't need you to post this.Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner?Take care and surf safelet me know if we can close out..Kevin... Link to post Share on other sites More sharing options...
MohamedShibl Posted October 28, 2015 Author ID:998309 Share Posted October 28, 2015 Advanced System Care and IOBit the same company, a few years back IOBit were accused of stealing Malwarebytes databases. The company is based in China so proving the issue was difficult... Read this thread: https://forums.malwarebytes.org/index.php?/topic/29681-iobit-steals-malwarebytes-intellectual-property/I still do not recommend IOBit or any associated programs, obviously the choice is yours...Those logs are clean, no obvious malware or infection. Continue to clean up... Download "Delfix by Xplode" and save it to your desktop.Or use the following if first link is down:"Delfix link mirror"Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administratorMake Sure the following items are checked: Remove disinfection tools Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settingsNow click on "Run" and wait patiently until the tool has completed.The tool will create a log when it has completed. We don't need you to post this.Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner?Take care and surf safelet me know if we can close out..Kevin... I Think that everything i in order now Thanks alot for help sir Link to post Share on other sites More sharing options...
kevinf80 Posted October 28, 2015 ID:998316 Share Posted October 28, 2015 You`re very welcome, it was a pleasure to work with you... Regards, Kevin. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 5, 2015 Root Admin ID:999809 Share Posted November 5, 2015 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts