[p.ave]

Here it is  mbrcheck811.txt   512bytes   308 downloads

[Advertisements]

It appears to be legitimate but, with the browsers opening it is still suspect, what is the make of your system ? i.e. Dell, HP or whatever

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right



Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan


Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Automatic Scan report from the left and press Save button
Save it to your desktop and attach to your next post


Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information



On completion click the link to locate the zip file to upload and attach to your next post

[Essexboy]

It appears to be legitimate but, with the browsers opening it is still suspect, what is the make of your system ? i.e. Dell, HP or whatever

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right



Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan


Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Automatic Scan report from the left and press Save button
Save it to your desktop and attach to your next post


Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information



On completion click the link to locate the zip file to upload and attach to your next post

[p.ave]

the computer is an hp that is currently running slow. Kasp virus scan running.

[Essexboy]

OK that may explain the unknown MBR part - but the lack of access is concerning

[p.ave]

Tried to run Kasp twice, it finds things but then gets bogged down and stuck. Had to restart computer.

[p.ave]

Fake security protection is back...

[Essexboy]

OK lets replace the MBR and run another check

Re-Run aswMBR

Click Scan

On completion of the scan
Click the FIXMBR Button



Save the log as before and post in your next reply

THEN

Re-run Combofix and allow it to update, posting the log on completion

[p.ave]

I actually had restarted kasp. (its about 50% complete, but has taken 5+ hours) it detected 6 threats. Should i stop that to run MBR?

[Essexboy]

No continue with the AVP run and if possible run the analysis scan as well

If AVP finds the MBR infected and cleans it then there is no requirement for aswMBR. However, if AVP does not do anything to the MBR then run aswMBR

[p.ave]

Here is the AVP manual scan results. I zipped the auto scan results but it wouldn't attach.

Attached Files

•  AVPmanual8-12.txt   23.15KB   360 downloads

[p.ave]

I'm guessing that its too big even zipped (~5 MB)

[Essexboy]

OK could you open AVP and on the manual disinfection tab click the link to avptool sysinfo.zip as that will be small enough to attach and contains the analysis run that I wil need to look at

[p.ave]

Here is the zip

Attached Files

•  avptool_sysinfo.zip   20.85KB   340 downloads

[Essexboy]

OK I can now see the name of the driver, but not yet the location

• Re-run AVPTool
• Select the Manual Disinfection tab and press Script execution
  
• Where it states Insert text script in the following box copy the below script and press Run script
  Copy from Begin until End
  
  

  begin
  SetAVZPMStatus(True);
  SetAVZGuardStatus(True);
  SearchRootkit(true, true);
   DeleteFile('C:\Documents and Settings\TEST\Local Settings\Temp\_uninst_43665347.bat');
   BC_DeleteFile('C:\Documents and Settings\TEST\Local Settings\Temp\_uninst_43665347.bat');
   DeleteFile('C:\WINDOWS\TEMP\12.tmp');
   BC_DeleteFile('C:\WINDOWS\TEMP\12.tmp');
   DeleteFile('C:\WINDOWS\TEMP\20.tmp');
   BC_DeleteFile('C:\WINDOWS\TEMP\20.tmp');
  BC_ImportDeletedList;
  BC_ImportAll;
  ExecuteSysClean;
  BC_Activate;
  RebootWindows(true);
  end.

  
  
• Your system will reboot on completion, if it does not please do so yourself
• On completion please run another analysis scan and attach the zip file

THEN

Re-run Combofix, allowing it to update if it asks

[p.ave]

here's the updated avp

Attached Files

•  avptool_sysinfo.zip   20.92KB   345 downloads