|
Post by nanadeb on Jan 20, 2015 14:34:25 GMT -8
No go - renamed to explorer.exe, didn't work, deleted it, downloaded again as mbar.exe and again no go.
I get the Open File - Security Warning - Do you want to run this file? I click on "Run" and nothing happens.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 20, 2015 15:02:31 GMT -8
[/b][/a] (by tigzy) on to your desktop[*] Quit all programs [*] Start RogueKiller.exe.[*] Wait until the Prescan has finished ... [*] Click on Scan. Once finished, click on Report[/ul] Please post the contents of the RKreport.txt in your next Reply. Quads
|
|
|
Post by nanadeb on Jan 20, 2015 17:00:08 GMT -8
Downloaded fine - to the desktop. Quit all programs (including disconnecting from the wireless router). Same issue as before - click on it to run, and nothing happens.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 20, 2015 17:33:05 GMT -8
hmmmmmm wouldn't have expected Roguekiller is the Vawtrak like technique (that blocks a list of AV software (including Malwarebytes folders) which you had in your first FRST.txt only difference you did not report the Windows Dialog message See list of AV's below, so maybe a change in variant for 2015?? Quads
|
|
|
Post by nanadeb on Jan 21, 2015 5:58:43 GMT -8
Yeah, I have no idea what's going on, so frustrating. But you are correct, the security dialog box IS new, so something that you advised me to do had an impact.
Is there something else you want me to do?
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 21, 2015 9:45:58 GMT -8
Press the + R Keys on your keyboard at the same time. Type notepad and click OK. Copy the entire content of the codebox below and paste into the notepad (Including start and end) start CMD: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /s CMD: reg query "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /s Reboot: end Click File, Save As and type fixlist (.txt may be seen on the end depending on the system setup) as the File Name. Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
Right-click on icon and select Run as Administrator to start FRST. (XP users click run after receipt of Windows Security Warning - Open File). Press the button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop, called Fixlog.txt. To paste or attach back here Quads
|
|
|
Post by nanadeb on Jan 21, 2015 10:00:23 GMT -8
Done - the computer did need to restart and all appeared to go normally. Here is the log: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-01-2015 Ran by Safe Mode at 2015-01-21 12:55:10 Run:2 Running from C:\Users\Safe Mode\Desktop Loaded Profiles: Safe Mode (Available profiles: Deb & Safe Mode) Boot Mode: Normal ==============================================
Content of fixlist: ***************** start CMD: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /s CMD: reg query "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /s Reboot: end *****************
========= reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /s =========
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers authenticodeenabled REG_DWORD 0x0
========= End of CMD: =========
========= reg query "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /s =========
ERROR: The system was unable to find the specified registry key or value.
========= End of CMD: =========
The system needed a reboot.
==== End of Fixlog 12:55:10 ====
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 21, 2015 14:21:48 GMT -8
|
|
|
Post by nanadeb on Jan 21, 2015 15:26:54 GMT -8
I followed instructions there - tested all the options on the webpage with no luck. Followed next instructions to download the files and try to open them one at a time until one worked and nothing on any of them. Not even the security warning this time. Whatever I have sure is intelligent
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 21, 2015 15:42:01 GMT -8
There appears to be one other thread active around (XP not Win 7) but has the same entries in FRST or near enough and they have found the same thing, where Roguekiller, MBAM, TDSSKiller does not want to run, no message either .
You both had the resrictions keys files and even the ......\temp\ntfs.sys
I am working on the possiblity of it being a Bootkit
Quads
|
|