Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi all


  • This topic is locked This topic is locked
5 replies to this topic

#1 Graham Williams

Graham Williams

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 29 May 2009 - 07:23 AM

Hi all.
My son told me to say "My computers gone WAK init!". This is not my style at all. To be fair it was a joke. Ha, but the truth is behind that.
My computer experience? Well it goes back a long way: PET, the first Apples, APL and this machine is running UBUNTU.
The questions I'll be asking concern a Windows machine, so lets get going with a preemptive Big Thanks.

Graham.
Dark days nurture new
light. Productions begin.
Now open your eyes.

BC AdBot (Login to Remove)

 


m

#2 jgweed

jgweed

  • Staff Emeritus
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:01:17 AM

Posted 29 May 2009 - 10:09 AM

Thanks for joining and welcome to BC!
Regards,
John
Whereof one cannot speak, thereof one should be silent.

#3 Graham Williams

Graham Williams
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 01 June 2009 - 03:20 PM

I don't want to be seen to bump up my item so I thought I'd make some notes here.

Change the name of the downloaded Malware bytes file from what ever it is to mb.exe
Change the name of the MalwareBytes exe file from mbam.exe to mb.exe

Change the name of the Superantispyware download file
Change the name of the EXE file.

Now both bits of software will run.
Whatever it is is blocking the operation of specific classes of software -

Cannot get past Safe mode so run Mb.exe in safe mode - Lots of files that I've deleted before so possibly we are looking at a root KiT?

After Running Mb.exe and clearing out the crap the system now starts in Normal mode - Ho Ha!

Switch off TeaTimer - I read somewhere that you should do this when running things!

In Normal mode: Run Mb.exe again - Full scan this time. Another 5 files all ones I've seen before. Looks like something is running in the background and creating all this stuff. Belete the rubbish again.

Restart system into Normal mode
Run SAS.exe (You know what that is)
Rootkit.Agent/Gen-UACFake - 2 entries
Registry Cleaner Trail (I didn't put that on. It will go the way of all Flesh) - 5 Entries
Rootkit.Agent/GEN : A lot of stuff 59 items.
I'll keep the log file.

Do a reboot and see what has happened!
Dark days nurture new
light. Productions begin.
Now open your eyes.

#4 Graham Williams

Graham Williams
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 01 June 2009 - 03:42 PM

Rebooted the system into Normal Mode.

SBSD was one of the programmes that was being blocked by whatever. (I don't think I mentioned this but after the first application of MB.exe SBSD ran from the Desktop Link but not since)

Check SBSD again and it still will not run from the desktop link. I suspect that what ever SAS thinks it has got rid of has not infact been removed.

Run Mb.exe again - Quick Scan - Found 2 object. Ithink that means my previous supposition is correct.
We have:
Trojan Agent C:\Windows\system32\uacinit.dll (init Ha)
RootKit Trace Reg Key HKEY_LOCAL_MACHINE\SOFTWARE\UAC

Ask Kill Box to Look for uacinit. Ha does not exist - Strange.

I'll get rid of them again but they'll be there for the next startup.

Is it time to run COMBOFIX? Any Advice?
Dark days nurture new
light. Productions begin.
Now open your eyes.

#5 Graham Williams

Graham Williams
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 01 June 2009 - 03:56 PM

Is this Alice all over again?

I restart the computer into Normal mode after the last effort with Mb.exe
The Desktop came up nicely then -
Ha Ha - The Blue screen again - I had missed you my old Friend. Well not at all!
I suspect that DRIVER_IRQL_NOT_LESS_OR_EQUAL and all the other rubbish is just that and designed to allow the underlying bug enough time to regroup, gather it's strength for another assault on the system!!!


Anyone want to have a try with this one?

Upon a whim, a fancy if you like, I restart the computer.
This time No Blue screen. It starts straight into Normal Mode but this time we see another old friend " Microsoft - Restart from a serious error ect... "
I suspect this is false as well.

Edited by Graham Williams, 01 June 2009 - 04:04 PM.

Dark days nurture new
light. Productions begin.
Now open your eyes.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:17 AM

Posted 01 June 2009 - 05:18 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users