Jump to content

Recommended Posts

Hey

I have recently had problems with my computer, a rouge antivirus was recently in my computer but i managed to remove it thanks to MBAM.

But, i dont think MBAM has completey removed all malware, i am still recieving adware and im pretty sure there may be a trojan or maybe a rootkit still in my computer, i looked into task manager to see if there were unusual procceses, and i keep seeing many iexplore.exe procceses, not run by me but under SYSTEM, sorry if this explanation is not very understandable , im not a computer expert :/

Thanks

Link to post
Share on other sites

When you ran GMER did you....

Disable your CD Emulation drivers with DeFogger ?

--------------------------

Try running it like this:

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Let me know, MrC

Link to post
Share on other sites

OK, here's a real simple tool to check for rootkits:

Download and unzip the Avenger from the link below:

http://swandog46.geekstogo.com/avenger2/download.php

Open the program and make sure.........

Scan for rootkits <-----this box is checked

Automatically disable any rootkits found <----this box is not checked

Then click Execute button then choose Yes in the box that pops up.

Reboot the computer

After the computer reboots a text with results will appear

Please post it in your reply.

------------------------------------

Next:

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable. More info HERE
    They may interfere with the running of ComboFix.
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please let me know.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

5.Give it atleast 20-30 minutes to finish if needed.

MrC

Link to post
Share on other sites

OK, Thanks for doing that.

These two files that GMER found are most likely from ComboFix (Tools used by it)

C:\DOCUME~1\simy\LOCALS~1\Temp\catchme.sys

C:\DOCUME~1\simy\LOCALS~1\Temp\mbr.sys

---------------------------------

Run these two small programs and post the reports back here:

Download TDSSKiller and save it to your Desktop.

Click on TDSSKiller.exe to run it.

Once completed it will create a log in your C:\ drive called TDSSKiller_*** (*** denotes version & date)

Please post the content of the TDSSKiller log

-----------------------------

Download MBRCheck.exe to your desktop

XP users > double click on MBRCheck.exe to run it

Vista and Windows 7 users > right click on MBRCheck.exe and select Run as Administrator

It will show a black screen with some data on it

Don't run any of the options!!!

When it's done > Press Enter to close the program

A file will called MBRCheck_ will appear on your desktop

Please copy into to your next reply

MrC

Link to post
Share on other sites

You were right...There it is:

-------------------------------------------------------------------------------------

MBRCheck, version 1.1.1

© 2010, AD

\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done! Press ENTER to exit...

--------------------------------------------------------

Let me decide how we're going to fix this, MrC

Link to post
Share on other sites

Please Note:

While fixing the Master Boot Record (MBR) is generally safe, there is a very small risk of damaging the system, the system won't boot up or partitions may become corrupted. Be sure to have your MS Windows CD at hand which will allow you to recover boot code via the Recovery Console in case of any problems or please install the XP Recovery Console now.

You have the Recovery Console installed!

If any problems occur, the links below explain how to repair the MBR:

Repair MBR XP and Vista

Please familiarize yourself with the procedure for your operating system version in case it's needed.

------------------------------------

OK, here's the fix:

Run MBRCheck.exe

Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Please push the 'Y' key and then press Enter

When program ask you Enter your choice: enter 2 and press the Enter key

Now the program will ask you Enter the physical disk number to fix (0-99, -1 to cancel):

Enter 0 and press the Enter key.

The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.

The program will prompt for confirmation. Type YES and hit Enter.

Left click on the title bar at the top of the window (where program name and path is written).

From menu chose Edit -> Select All

Hit the Enter key on your keyboard to copy selected text.

Paste that text into Notepad, save it to your desktop as MBRCheck results.txt

Hit Enter to close the program.

Restart your PC.

Post the text in MBRCheck results.txt here, please.

MrC

Link to post
Share on other sites

OK, please do this:

Download TFC to your desktop, it will clean out all the temp files on your system.

Open the file and close any other windows.

It will close all programs itself when run, make sure to let it run uninterrupted.

Click the Start button to begin the process. The program should not take long to finish its job

Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

----------------------------------

Update and then run a quick scan with MBAM.

Post the log back here when done, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.