Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Defender


  • Please log in to reply
12 replies to this topic

#1 esde

esde

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:26 PM

Posted 02 March 2010 - 12:03 PM

I have a Windows XP machine on the bench with Antimalware Defender and it is NOT wanting to be removed.

I have disabled System Restore, booted into Safe Mode with Networking, ran an updated MalwareBytes and Security Essentials scan externally on a test machine. Reinstalled the Hard Drive, and the infection was instantly back.

In the registry there are a few infected keys in the classes section, removed those, and rundll32.exe that was in system32, ran the scans again, and again, and the infection is still there. If it is logs, caps, HJT logs, etc you want, link me to the program and let me know which to attach. Prompt response is greatly appreciated.
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

BC AdBot (Login to Remove)

 


#2 esde

esde
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:26 PM

Posted 02 March 2010 - 12:52 PM

**UPDATE**

I ran Malwarebytes only ONCE Before, this time I tried everything TWICE. Run MalwareBytes once, then Hitman Pro 3.5, then Malwarebytes again, then Hitman Pro 3.5 again.

Also, the files Hitman Pro 3.5 finds, "xxxx-xxx-xxx-xxxx.AVI/MKV/ico" (The file name looks like a CLSID) inspect the filename, then search for it in the registry and remove any key with the filename in it, the infection loads and re-infects the system on reboot. Once you scanned twice, and then removed any infected keys, you should be good. :thumbsup:
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:26 PM

Posted 02 March 2010 - 01:10 PM

Are you asking? You may have an MBR Root kit. If it is still occurring.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 esde

esde
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:26 PM

Posted 02 March 2010 - 01:27 PM

I was asking, but it seems to be gone now. It appears to have been that CLSID key. Curious, if it was a MBR infection would I just rebuild a new MBR, or is there special removal procedures? Would ComboFix catch it, generally?
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:26 PM

Posted 02 March 2010 - 01:33 PM

You really should not run ComboFix on your own. Note the Blue text atop this forum.

To check for and confirm the MBR rootkit,

Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 esde

esde
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:26 PM

Posted 02 March 2010 - 01:35 PM

Again, curiousity, do you have some kind of KB that you can query for symptoms, or is this forum the most efficient way to get an answer? I am a tech and work on infected machines all day, and it would be great if I had the resources you may have.
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:26 PM

Posted 02 March 2010 - 02:23 PM

I just have the tool ID it if it exists.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 esde

esde
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:26 PM

Posted 02 March 2010 - 02:44 PM

What?
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:26 PM

Posted 02 March 2010 - 02:51 PM

Errr, I use the tool to see if the mbr exists...
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 esde

esde
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:26 PM

Posted 02 March 2010 - 02:56 PM

No, I am asking how you know what to recommend and most of the guides I see from you look like they are templates. My question is, do you have a collection of this knowledge in one location? For instance, a folder with all these guides in it which pertain to certain infections. Does that make more sense?
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:26 PM

Posted 02 March 2010 - 03:19 PM

Well I have seen many infections and some do specific things and certain tools work best. logs indicate what was found so if i see a rootkit I use one of my prewriiten responses. Sometimes its another tool or with certain infections say TDL3 or atapi It's best to se a DDS log next.
When you answer alot of people I can't keep rewritting the replies.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 esde

esde
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:26 PM

Posted 02 March 2010 - 03:22 PM

That's awesome, I have applied to GeekU on another site, will that be a good step in learning more about malware and virus removal? What would you recommend? Is there a better way to continue this discussion than in this thread?
I do not see why man should not be just as cruel as nature.
-Adolf Hitler

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:26 PM

Posted 02 March 2010 - 03:28 PM

Hi, well it is a general chat topic. You are best served if you can get into one of the malware removal training programs.. We take malware very seriously here and we are careful of the sugestions made.
Have you read thru the pinned topics above Am I infected? What do I do?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users