Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Basic Sdfix Question/confirmation


  • Please log in to reply
3 replies to this topic

#1 lzyg

lzyg

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MD, USA
  • Local time:09:13 PM

Posted 18 September 2008 - 11:02 AM

OK. I am very new here but hopefully this is the right place top post this question, it seems to be from what I can see. Anyway...

I have what I think is a very basic question/confirmation request about using SDFix. I was following the usage instructions:

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

At step 11 (rebooting after the scan) nothing is mentioned about what mode to reboot in - still safe mode or not. I assumed sticking in safe mode was the way to go, but the items that the log claimed were removed "came back" and I seemed to never get screen 12 & 13. I was worried this was because the infection I have ("Rootkit.Win32.Agent.cku") is particularly tenacious, but then I happened to do a reboot in regular (i.e. not safe) mode and I saw screens 12 & 13 (from user guide linked above) which i had not seen before. After this all evidence of Rootkit.Win32.Agent.cku seems to have disappeared (there's no tdsserv.sys file any more searching in a dos screen) and running another SDFix scan revels nothing. So to me it seems all is fixed and I should have just reboot in regular (not safe) mode first of all. Checking back on the instructions though nothing is mentioned.

So really I just want to double check (at this point I'm at the end of over 2 days of tracking/destroying/updated/rebooting and I'm getting very paranoid) that I have now done the right thing with SDFix and I am (probably) as safe as I now seem. I am going to go thru updating, rerunning, rescanning with all the different tools I've been using, but for now before I start going thru all that (again) I want to check that at least I have done this part correctly now.

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:13 PM

Posted 18 September 2008 - 12:59 PM

Reboot normally, then continue as follows:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 lzyg

lzyg
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MD, USA
  • Local time:09:13 PM

Posted 18 September 2008 - 01:12 PM

Thanks for the confirmation quietman, I've already run Malwarebytes as well and everything appears clean now. I'm going to go thru the whole process one more time all the same though, once I have made sure everything is up to date (again). I can finally see the end in sight.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:13 PM

Posted 19 September 2008 - 08:13 AM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users