Adlice forum
General Category => Malware removal help => Topic started by: 99Sport on September 24, 2016, 11:12:53 PM
-
First time poster, here.
I've had a problem with a person who feels a psychotic need to track me. I have two laptops, one of which has disabled by a malicious MBR.
This is my first scan with RK, and have several questions about the interpretation of the results.
i've read the documentation, and am getting a better understanding of the code used to interpret the results....that being said, I'm a total noob at this.
I've posted the results of the first scan as an attachment, and would like an experienced opinion of these results.
As for the highlighted entries, I have not disabled them as of yet.....I'm wondering if it would be possible to track them down and save them for tracking the sender.
I'm not certain if this is the correct place to post this question, so please move to proper location.
With interest, I will keep an eye on this thread.
-
Hi 99Sport,
Your computer is infected with Kovter.
The Kovter infection is a Trojan that performs click-fraud while running on your computer. This infection is typically installed via exploit kits found on hacked web sites or Trojan-Downloaders and is not used in tracking purposes.
Delete all entries detected by RogueKiller, then follow the following process :
Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please attach log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also attach that along with the FRST.txt into your reply.
Regards.
Note : This thread has been moved to the "Malware Removal help" section for clarity.
-
Thanks, Curson.
I've deleted all active infections and rebooted and re-scanned the hd. All seems to be good, except for a question I have about a few PUM DNS entries.
The entries are on both of my laptops, and am wondering if it may be a (user defined) proxy, or something more malicious in intent.
I've deleted them on both of the pc's and they keep showing up on re-scans.
"ipTRACKERonline.com"
IP Address Quick Report
IP Address:[/b] 67.142.174.10 67.142.174.11
Organization:[/b] Hughes Network Systems
City:Country of Origin: United States
* For a complete report on this IP address goto ipTRACKERonline
They are traced to a private art museum in Kansas, of which I have no association with.
I'll dl FRST and follow your instruction.
Thanks for the guidance.
(http://www.iptrackeronline.com?ip_address=67.142.174.11)
-
Curson...
Per instruction, I'm attaching the txt logs you requested.
I see a few "hidden" files, some of which have no identifying author. Will wait for your response and advice, in the meantime, no real work will be done here.
I'll keep an eye open for the reply.......
-
Hi 99Sport,
Do you have any link with direcway service ?
Leftovers of the infection are still present.
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Regards.
-
Here we go, Curson...
Not that I'm aware, do I have a service with direcway. Probably fishy, if anything. I've been a little careless with this pc, lately. Not so, with my new one.
Here is the fixlog you asked for.
-
Hi 99Sport,
Could you please tell me the name of your Internet service provider ?
Regards.
-
Curson....
the current ISP is Hughes Network.
Prior to that is was Charter Communications, with a few hotspot connections along the way.
I've been trying to chase down an IP that is traced to an art gallery in Kansas, according to the IP's that show on the scan.
Any help would be greatly appreciated.
Thanks,
-
Hi 99Sport,
This IP is linked to Hughes Network Systems, so you don't have to worry about it.
Your computer is now clean. You can now delete FRST and related directories.
Regards.
-
Thanks, Curson, for your assistance.
I do have a single question about MBR's. What would cause an RK scan to list "unknown MBR" drive0; unknown MBR empty?
-
Hi 99Sport,
You are welcome.
The "Unknown MBR" means the MBR is legit but not standard (OEM manufacters).
The "MBR empty" indicates that the device don't have any MBR (like USB mass storage devices, SD card readers, etc.).
Regards.
-
Got it.
Thanks for all of your help.
I'm ordering the upgraded version of RK. Great program, excellent support.
-
Hi 99Sport,
You are welcome.
Thanks for the kind words and for supporting our product.
Regards.