Jump to content

B Trevathan

  • Content Count

  • Joined

  • Last visited

About B Trevathan

  • Rank

Profile Information

  • Gender
  • Location
    Tennessee USA
  1. I don't know what kind of malware you have, can you give us some more information. Lots of malware programs give fake Windows Security Alert messages and lots of malware block antimalware programs from installing and/or running. Try renaming your antimalware programs like rename the Malwarebytes' Anti-Malware program which is mbam.exe to something like whatever.exe or something.com (Don't just rename the shortcut to the program, you need to rename the program that the shortcut points to.) Try doing the same for the SAS install program, rename it from SUPERAntiSpyware.exe to something.exe or whatever.com and see if it will install. If none of these work try downloading and running SASSAFERUN.COM Try running Microsoft's Malware Removal Tool, click start then click run and type in MRT and hit OK. Also try starting your computer in safe mode by using the F8 key and when in safe mode try running MBAM.
  2. FAQ: I think SUPERAntiSpyware detected something it should not have. What do I do? All spyware and virus scanners from time to time detect what is called a "false positive". A false positive is when the scanner detects a harmless file as an infected file. If you believe SUPERAntiSpyware has improperly detect a file as harmful, please use the built-in false positive reporter in SUPERAntiSpyware to send a sample of the file directly to our definitions team. The false positive reporter is available at the end of a scan. The item must be detected during the scan, not in quarantine. At the end of the scan, click once on the item to be submitted to highlight it, and click the "Report False Positive" button to the right. The file will be submitted to the SUPERAntiSpyware team for analysis. If it's found to be benign, it will be excluded from SUPERAntiSpyware's definitions.
  3. Note: Always make a backup of your files. If you don't have a complete understanding of what needs to be done then don't try to change it, exit out and ask someone for more help, editing the Windows registry keys can be a dangerous task because it saves automatically. Make sure you know what you are changing, some changes may be irreversible and you could only change it back if you remember the old value. Always make a backup of your files. To use the Windows Recovery Console you will need to have a Windows OS disc or have the Recovery Console already install on your computer. You can not check the registry from the Recovery Console, the Recovery Console is used to replace missing files and do other repairs. The Dell disc should not be a Windows OS disc, it should be a restore disc that is used to restore your computers files back to the way they were when you got the computer, if you use the Dell restore disc it may delete all of your data. Before you try slaving the disc it would be easier to just boot from a live CD like "BartPE" or "PCRegedit" etc. The link to BartPE describes how to "Verifying and fixing the Userinit value in the registry" like what I posted about. If you want to slave the drive and load the registry here is "some really good directions" I copied for you on how to do. 1. Slave the drive that contains the bad registry you want to edit to a computer as a data drive. 2. On the computer you are using for the editing, start regedit.exe 3. Highlight the HKEY_LOCAL_MACHINE (HKLM) key and click File->Load Hive. For all keys/files being edited, HKLM, on the host computer, is the key under which to load. 4. Navigate to the registry hive you wish to edit on the drive you connected in step 1 and double click the hive. Although you can edit any of the 5 (at least theoretically), the useful hives to edit are: SOFTWARE, SYSTEM, DEFAULT and for the HKCU key, NTUSER.DAT. The first three files will be located in %windir%\system32\config. As mentioned in the preamble, for NTUSER.DAT, you can, if you choose, edit any user while this drive is connected as a data drive (as it is now) or while the target installation is actually running. %windir% is normally \Windows. 5. You will be prompted for a name for the hive. I use the letter "a" so that the new key (under HKLM) will be listed first or you can call it whatever it is only temporary. 6. Edit to your heart's content. 7. When finished, move to the top level of the named key ("a"), and click File->Unload Hive. DO NOT SKIP THIS STEP.
  4. Are you using McAfee? In post #2 you said you logged in and it logs you back out, so when you get to the part of the recovery section that you posted about in post #3 use the same password you used to log in that you were using from post #2. If that doesn't work then when the recovery console ask for a password don't try typing anything in just leave it blank and hit the enter key. You will have three changes before windows restarts itself. It sounds like you had a really bad malware infection that had changed a value of the Winlogon registry key, to check the key you will have to boot from a live CD or slave the drive in another computer. The key should look similar to this: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon In the right pane of the registry editor, the userinit value should be: C:\Windows\System32\Userinit.exe, (the value includes the comma on the end)
  5. @datasafe 1. Run TDSS Killer again to make sure it got everything and it replaced your drives atapi.sys file. You did reboot right after running it like it said it need too didn't you? 2. Renamed your Host file to something like Host.old then restart your computer and see if that fixes the redirects. 3. Check to make sure your DNS server settings is correct and not pointing to a malware DNS server. 4. Download and run GMER and see if it catches anything. Note: not all rootkits or hidden items are bad. 5. If you are still having problems run a live CD like Dr. Web live CD or Avira Rescue CD. Note: with Avira Rescue CD you may have to click on the British flag in the lower left corner
  • Create New...