Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack Log- Fake Visa Verification Site [CLOSED]

Started by decane , Jun 23 2008 10:03 PM

  • This topic is locked This topic is locked

#76
fenzodahl512
Posted 03 July 2008 - 10:20 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts

I attached the blank log file



Oh... Ok.. This will be my last instruction before I go to work... Please do the following.. :)


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.

  • 0

Advertisements

#77
decane
Posted 03 July 2008 - 10:20 PM

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
I don't get the message when I hit the copy button. So there is nothing to copy to notepad.
  • 0

#78
fenzodahl512
Posted 03 July 2008 - 10:22 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts

I don't get the message when I hit the copy button. So there is nothing to copy to notepad.



It okay.. don't worry about it.. :)


Just follow my instruction above.. I'll be back after work (about 10 hours from now..)


Thank you for being patience with me :)


Regards
fenzodahl512
  • 0

#79
decane
Posted 03 July 2008 - 11:42 PM

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
SDFix: Version 1.201
Run by Administrator on Fri 07/04/2008 at 12:46 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Temp\ed47fa.$ - Deleted

Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector by Gmer or CureIt by Dr.Web

Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$
Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$

Folder C:\WINDOWS\system32\aqVreo01 - Removed
Folder C:\WINDOWS\system32\vntiho01 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 01:09:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

C:\WINDOWS\Temp\bca4e2da.$$$ Found
C:\WINDOWS\Temp\fa56d7ec.$$$ Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Sun 13 Apr 2008 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 22 Sep 2004 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Sun 13 Apr 2008 0 A..H. --- "C:\WINDOWS\system32\BIT748.tmp"
Mon 12 Sep 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 23 Jun 2008 37,888 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL0005.tmp"
Fri 20 Jun 2008 32,768 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL0471.tmp"
Mon 23 Jun 2008 36,352 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL0978.tmp"
Wed 25 Jun 2008 33,792 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL2477.tmp"
Fri 20 Jun 2008 35,328 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL2765.tmp"
Fri 20 Jun 2008 34,304 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL2787.tmp"
Mon 23 Jun 2008 36,352 ...H. --- "C:\Documents and Settings\Michael\My Documents\~WRL3597.tmp"
Tue 7 Feb 2006 299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\Maint.exe"
Mon 19 Dec 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\uinstrsc.dll"
Tue 24 Apr 2007 229,888 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL0004.tmp"
Tue 24 Apr 2007 239,104 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL0219.tmp"
Tue 24 Apr 2007 234,496 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL0220.tmp"
Tue 24 Apr 2007 237,568 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL0334.tmp"
Tue 24 Apr 2007 235,008 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL0359.tmp"
Tue 24 Apr 2007 237,568 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL0708.tmp"
Tue 24 Apr 2007 231,424 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL1021.tmp"
Tue 24 Apr 2007 239,104 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL1562.tmp"
Tue 24 Apr 2007 234,496 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL1935.tmp"
Tue 24 Apr 2007 235,008 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL2116.tmp"
Tue 24 Apr 2007 231,424 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL2518.tmp"
Tue 24 Apr 2007 235,008 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL3246.tmp"
Tue 24 Apr 2007 233,472 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL3358.tmp"
Tue 24 Apr 2007 237,056 ...H. --- "C:\Documents and Settings\Meredith\Application Data\Microsoft\Word\~WRL3501.tmp"
Wed 2 Feb 2005 30,720 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0003.tmp"
Fri 11 Mar 2005 179,200 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0004.tmp"
Mon 25 Jun 2007 245,760 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0005.tmp"
Fri 20 Jun 2008 36,352 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0006.tmp"
Sun 13 Mar 2005 22,016 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0022.tmp"
Mon 9 Jul 2007 269,312 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0037.tmp"
Sun 13 Mar 2005 40,448 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0094.tmp"
Mon 9 Jul 2007 264,704 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0179.tmp"
Thu 28 Jun 2007 263,680 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0210.tmp"
Sun 15 Jul 2007 275,456 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0259.tmp"
Fri 11 Mar 2005 179,712 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0353.tmp"
Mon 25 Jun 2007 245,760 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0383.tmp"
Tue 26 Jun 2007 256,000 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0384.tmp"
Wed 27 Jun 2007 260,096 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0414.tmp"
Mon 25 Jun 2007 246,272 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0417.tmp"
Mon 9 Jul 2007 278,016 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0515.tmp"
Mon 9 Jul 2007 266,752 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0532.tmp"
Fri 20 Jun 2008 35,328 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0549.tmp"
Mon 9 Jul 2007 265,728 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0619.tmp"
Mon 9 Jul 2007 268,288 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0630.tmp"
Sat 12 Mar 2005 178,688 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0682.tmp"
Tue 26 Jun 2007 256,000 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL0772.tmp"
Mon 9 Jul 2007 268,800 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1010.tmp"
Sat 8 Sep 2007 32,768 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1030.tmp"
Mon 9 Jul 2007 272,896 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1055.tmp"
Mon 9 Jul 2007 275,968 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1064.tmp"
Tue 26 Jun 2007 253,952 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1078.tmp"
Sun 15 Jul 2007 279,552 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1161.tmp"
Mon 9 Jul 2007 274,432 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1182.tmp"
Fri 20 Jun 2008 34,816 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1200.tmp"
Sun 15 Jul 2007 278,528 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1343.tmp"
Sat 8 Sep 2007 34,304 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1450.tmp"
Sun 13 Mar 2005 43,008 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1472.tmp"
Sun 15 Jul 2007 280,576 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1482.tmp"
Fri 11 Mar 2005 179,712 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1675.tmp"
Mon 9 Jul 2007 265,728 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1866.tmp"
Tue 26 Jun 2007 255,488 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1889.tmp"
Mon 9 Jul 2007 271,872 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1907.tmp"
Sun 13 Mar 2005 46,592 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1910.tmp"
Sun 15 Jul 2007 276,480 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL1977.tmp"
Tue 26 Jun 2007 253,440 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2005.tmp"
Fri 29 Jun 2007 267,264 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2230.tmp"
Thu 28 Jun 2007 264,704 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2327.tmp"
Mon 9 Jul 2007 271,872 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2381.tmp"
Sat 12 Mar 2005 182,272 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2416.tmp"
Mon 9 Jul 2007 268,288 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2562.tmp"
Mon 9 Jul 2007 271,360 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2593.tmp"
Tue 26 Jun 2007 257,536 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2640.tmp"
Sun 13 Mar 2005 19,968 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2686.tmp"
Sun 13 Mar 2005 45,056 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2900.tmp"
Thu 28 Jun 2007 266,240 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2915.tmp"
Mon 9 Jul 2007 276,992 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL2940.tmp"
Sun 9 Sep 2007 45,568 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3063.tmp"
Mon 9 Jul 2007 268,288 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3077.tmp"
Sun 13 Mar 2005 35,328 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3081.tmp"
Sun 13 Mar 2005 22,528 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3171.tmp"
Sun 15 Jul 2007 274,432 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3185.tmp"
Fri 11 Mar 2005 178,688 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3206.tmp"
Mon 9 Jul 2007 265,728 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3227.tmp"
Mon 9 Jul 2007 267,264 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3248.tmp"
Thu 28 Jun 2007 264,704 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3270.tmp"
Tue 26 Jun 2007 254,464 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3273.tmp"
Mon 9 Jul 2007 274,944 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3280.tmp"
Sun 15 Jul 2007 276,480 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3376.tmp"
Fri 11 Mar 2005 180,224 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3390.tmp"
Mon 9 Jul 2007 268,288 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3446.tmp"
Sun 15 Jul 2007 283,648 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3501.tmp"
Fri 29 Jun 2007 266,752 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3547.tmp"
Fri 20 Jun 2008 35,840 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3570.tmp"
Sun 13 Mar 2005 39,424 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3630.tmp"
Sun 15 Jul 2007 275,968 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3674.tmp"
Thu 28 Jun 2007 263,680 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3750.tmp"
Sat 12 Mar 2005 179,200 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3808.tmp"
Mon 9 Jul 2007 268,288 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3818.tmp"
Tue 26 Jun 2007 257,536 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL3959.tmp"
Sat 8 Sep 2007 34,304 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL4063.tmp"
Wed 2 Feb 2005 29,696 ...H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Word\~WRL4065.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Michael\Application Data\U3\temp\Launchpad Removal.exe"
Mon 2 Jun 2008 11,638 A..H. --- "C:\Documents and Settings\Michael\Application Data\Microsoft\Office\Shortcut Bar\Off622.tmp"

Finished!
  • 0

#80
fenzodahl512
Posted 04 July 2008 - 08:59 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ah... Now I see what's inside your computer.. That's why we couldn't remove that pesky things.. You have MBR rootkit..


Please run mbr.exe that you have download before and post its fresh log here.. And... I'm off for two days.. That means I will have lots of time for ya :)


Regards
fenzodahl512
  • 0

#81
decane
Posted 04 July 2008 - 11:48 AM

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Great. I'm off for a few days as well.

What is MBR Rootkit? Is it something very serious?

I'm running the scan now and will post the log as soon as it is available.
  • 0

#82
fenzodahl512
Posted 04 July 2008 - 12:03 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts

Great. I'm off for a few days as well.

What is MBR Rootkit? Is it something very serious?

I'm running the scan now and will post the log as soon as it is available.


:) Any rootkit is serious stuff..

Will wait for your log.. It should be a very short time.. :)
  • 0

#83
decane
Posted 04 July 2008 - 12:03 PM

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
I clicked on MBR.exe. I clicked on run, but nothing happened.

So I downloaded it again to my desktop. I clicked on MBR.exe. I clicked on run and this time a small window appeared and then immediately closed.

What should I do? Should I run it in safe mode?

Thanks.
  • 0

#84
fenzodahl512
Posted 04 July 2008 - 12:06 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts

I clicked on MBR.exe. I clicked on run, but nothing happened.

So I downloaded it again to my desktop. I clicked on MBR.exe. I clicked on run and this time a small window appeared and then immediately closed.

What should I do? Should I run it in safe mode?

Thanks.


Er.. It is like that.. can you see a text file named mbr in your Desktop? If yes, please post that.. :)
  • 0

#85
decane
Posted 04 July 2008 - 12:12 PM

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR

It looks like it didn't work.
  • 0

Advertisements

#86
fenzodahl512
Posted 04 July 2008 - 12:22 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please copy everything inside the quote box below and paste it into notepad. Go up to "File > Save As", click the drop-down box to change the "Save As Type" to "All Files". Save it as runthis.bat on your desktop.

"%USERPROFILE%\Desktop\mbr.exe" -f>>"%USERPROFILE%\Desktop\mbr2.txt"

Double-click runthis.bat A window will open and close quickly, this is normal. A new textfile mbr2.txt will be created on your Desktop. Please post its content in your next reply..

If you do not sure how to make a batch file, please visit HERE for the tutorial.

Edited by fenzodahl512, 04 July 2008 - 12:23 PM.

  • 0

#87
decane
Posted 04 July 2008 - 12:30 PM

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR


I tried to run it a few times. It looks like it didn't work
  • 0

#88
fenzodahl512
Posted 04 July 2008 - 12:37 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok.. Lets do this first....


1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to delete:
C:\WINDOWS\Temp\bca4e2da.$$$
C:\WINDOWS\Temp\fa56d7ec.$$$

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply



After that, please double-click runthis.bat again and post the mbr2.txt here, along with Avenger log..
  • 0

#89
decane
Posted 04 July 2008 - 12:52 PM

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
My PC only rebooted once. I'm not sure if that matters. Below is the Avenger text file. I'll post the batch separately.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\Temp\bca4e2da.$$$" deleted successfully.
File "C:\WINDOWS\Temp\fa56d7ec.$$$" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
  • 0

#90
decane
Posted 04 July 2008 - 12:55 PM

decane

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts
It looks runthis.bat didn't work.

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP