Author Topic: MBR Trojan need some help please !  (Read 19195 times)

Offline _The_Nothing_

  • Newbie
  • *
  • Posts: 12
Re: MBR Trojan need some help please !
« Reply #15 on: December 30, 2011, 02:59:13 AM »
yes this is true ,but the reg shot shows it in red and when I use regedit to look for the reg files they are not there therefore I take that as they are super hidden files am I not correct, yes some micro$oft files are that way on purpose, so people don't mess their systems up and security I understand this much

Online wasgij6

  • Volunteer Moderator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3637
Re: MBR Trojan need some help please !
« Reply #16 on: December 30, 2011, 03:03:19 AM »
if you do think you have a rootkit your best bet would be to create a bootable disk with kaspersky rescue disk. it makes things a lot easier to remove a rootkit when using a bootable environment.
| Win 8.1 Pro (x64) | UAC Disabled | CFW 7.0.317799.4142 | Intel i7 4770k | Asus Maximus VI Formula Mobo | Asus GeForce GTX 780 | G.Skill TridentX 16gb RAM | Samsung 840 SSD |

Offline _The_Nothing_

  • Newbie
  • *
  • Posts: 12
Re: MBR Trojan need some help please !
« Reply #17 on: April 13, 2012, 09:54:11 PM »
sorry it's took awhile to get rid of and fix stuff just to get back on apparently I've been my WiFi has been hacked by someone in china I can't fix this one on my own so far

Offline MichelB

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 316
Re: MBR Trojan need some help please !
« Reply #18 on: April 27, 2012, 10:27:43 AM »
_The_Nothing_

First...
Change the username and password on your router.

Second...
Speak to your ISP and ask them to reallocate your public IP address

Third...
On a clean PC download UnHackMe from http://www.greatis.com/unhackme/ save it to USB or burn it to CD

Fourth...
Install UnHackMe on the infected machine.Go through the "Check Me Now" and multi-engine virus scans. Reboot the system and let the RegRun do its thing. When UnHackMe get to the results page Do Not click "Fix Problems" - click Advanced View to show a list of hidden items, autoruns, BHOs etc. From that screen you should be able to see any suspicious items and action them accordingly.

Fifth...
Be aware that in a lot of cases involving MBR infections it is safer (and usually a lot quicker) to buy a new harddrive, install everything from scratch on to it and then copy data, and only data, from the old harddrive to the new one.



Offline _The_Nothing_

  • Newbie
  • *
  • Posts: 12
Re: MBR Trojan need some help please !
« Reply #19 on: April 29, 2012, 10:04:57 PM »
well I took your suggestion and got a new copy of unhack me mine was from 2008 which the rookit finder still works where they've disabled it on the new one . anyways lol I had to run combofix again to get back on I will post my results for you. I've narrowed it down to they've put some code in my wlan .exe or swapped it out for an fake one that's where the funny connection keeps coming from.
lol this is like the best chess game I've ever played lol it's kinda fun well at first it was really annoying but I gathered enough get off my computer programs to remove stuff with and now it's kinda fun they hit me with a bunch of malware and spyware and in a half an hour to and hour I'm right back on.
thanks for any help you can provide me with helping remove them

Offline MichelB

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 316
Re: MBR Trojan need some help please !
« Reply #20 on: April 30, 2012, 04:07:49 AM »
You may have a revised version of this http://www.securelist.com/en/descriptions/old21782865.

I assume that you removed or disabled any rogue startup entries UnHackMe found?

Be wary of PC Tools AV stuff, it flags a lot of false positives.

If your wlan.exe file is suspect, rename it to wlan.exe.old and copy a fresh version off the OS installation CD.

Check your startup registry keys, listings under msconfig and services.

Without any browser windows open, do a netstat -ano from the command line and look for any outgoing connections to foreign servers and note the Process ID (it will probably be 0 which indicates that scvhost is corrupt). If the PID is not 0 trace the executable calling the process, rename the .exe file and replace it with a known good copy.

As I said, if this is an MBR rootkit/bootkit you will be better of scrubbing the drive and re-installing from scratch. You could be hunting this thing down until kingdom come and still never be able to remove it.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 18743
Re: MBR Trojan need some help please !
« Reply #21 on: April 30, 2012, 08:38:21 AM »
sorry it's took awhile to get rid of and fix stuff just to get back on apparently I've been my WiFi has been hacked by someone in china I can't fix this one on my own so far
What in the screenshots you provided makes you think your WiFi has been hacked?

Assuming the HPWAMain.exe is digitally signed I advice to see if the digital signature is OK. If it is OK then it is the original program from HP and not an infected version.
« Last Edit: April 30, 2012, 08:43:49 AM by EricJH »

Offline _The_Nothing_

  • Newbie
  • *
  • Posts: 12
Re: MBR Trojan need some help please !
« Reply #22 on: May 01, 2012, 02:03:36 AM »
sorry for the spydoctor pic. I didn't mean to post that one and couldn't edit it.
um well I've been fighting this for about three years. and when I bought this dumb thing it didn't come with a disc. I made a windows recovery disc awhile back when they released an ISO of it so I got it thats about all I've got to work with

Offline MichelB

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 316
Re: MBR Trojan need some help please !
« Reply #23 on: May 01, 2012, 03:19:53 AM »
"I've been fighting this for about three years"... why?

Solve your problem - http://emea.microsoftstore.com/uk/en-GB - get on with life.

BTW: 169.254.x.y is an APIPA address which Windows allocates itself when it not being given an address by a server or a router. This is not an indication of an infection and is fixed by giving yourself a static IP address.

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 18743
Re: MBR Trojan need some help please !
« Reply #24 on: May 01, 2012, 10:45:04 AM »
The IP address in the 169 range means that your computer does not see a network. When Windows does not see a network it will give the network card an IP address in the 169 range so it will have an IP address in case you want to make an ad hoc connection to another computer.

Getting an IP address in the 169 usually indicates a problem while connecting to a router; think a faulty wire or a lot of radio signals of neighbours interfering with your WiFi.

Did you check the digital signature of the HP program?

What version of Windows are you using?

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 9903
Re: MBR Trojan need some help please !
« Reply #25 on: May 01, 2012, 06:19:42 PM »
How to Clean An Infected Computer

Please let me know if following the advice given here is not enough to remove the malware. The instructions for how to make sure all malware has been removed can be found in my article about How to Know If Your Computer Is Infected. Please let me know if the methods suggested are not able to fully remove the infection, as I am trying to design the instructions such that they can remove almost any infection.

Once the infection has been removed please see this topic.

Offline _The_Nothing_

  • Newbie
  • *
  • Posts: 12
Re: MBR Trojan need some help please !
« Reply #26 on: May 12, 2012, 03:30:41 AM »
sorry it takes so long to get back to everyone
THANKS a million for all your patience's and time
well here it goes logs and pics

will look into that kaspersky link and check out more of this mess lol

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek