Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Trojan.win32.reboot.q


  • Please log in to reply
3 replies to this topic

#1 willsonfang

willsonfang

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 23 June 2009 - 01:55 PM

I've currently got a trojan called win32.rebooter.q

basically it rebooted my computer, and doesn't let me in safe mode or normal - as when i try, just before i log on i get an error saying cannot logon as system is shutting down.

I've connected the HardDrive to another computer, and i'm currently running a anti virus scan on it, apart from that i'm not really sure what i should do as my next step.

Any help on this matter would be appreicated.

BC AdBot (Login to Remove)

 


#2 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 26 June 2009 - 04:38 PM

Hi willsonfang,

First I want to tell you that this is a backdoor trojan, for which we have some information particularly important if you use your computer for any kind of banking or business transactions. Please read the following in the quotes box. After that, if you still feel you would like to try cleaning your machine, I'll post some beginning instructions to get you started:

BackDoor Trojans

Backdoor Trojans are the most dangerous and most widespread type of Trojan. They provide the author or "master" of the Trojan with remote "administrative" access and control to the infected machines. Unlike legitimate remote administration utilities, backdooors install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more. In other words, take over the control of your computer.

Disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

In addition to the backdoor Trojan that has been identified, your computer has other infections as well. Although we can attempt to clean this machine, we cannot guarantee that it will be secure afterwards. Your best and safest course of action is a reformat and reinstallation of the Windows operating system.


You have two options now, and how we proceed here, will depend on which choice you make. If you want to attempt to clean the machine, we can, but you will not know if the trojan left an entry to your machine which we can't identify. The other choice would be to reformat and reinstall your operating system. I'll post a couple of links to help you with the changing of your passwords, and if you want to reinstall, instructions for that. This decision depends to some degree on what the computer is used for.


Finally, you should be aware that even if we successfully remove these infections from your computer, some parts of the computer's system may be altered by the removal process itself, which could prevent it from ever regaining its former stability or full functionality without a reformat.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

If you have any questions, please ask.
Please post back to let me know what you've decided.




If you'd still like to continue and have taken any steps you need to to secure your various password-protected accounts, please do the following:





Step 1: AFT Cleaner



If you're running XP, please run ATF cleaner according to the following instructions. If you're using Vista, please skip this step and continue with step 2.


Please download ATF Cleaner by Atribune & save it to your desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".



Step 2: MalwareBytes


Please download Malwarebytes Anti-Malware and save it to your desktop.
MalwareBytes

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable security programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 3: I would like for you to run an online scan with Kaspersky WebScanner



Click on Kaspersky Online Scanner

Note: you'll need to run this scan with Internet Explorer with ActiveX enabled.

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Step 4: When you post again, you should have logs or reports for the following:MalwareBytes
Kaspersky log
Let me know what you decided and if you continued with the instructions, how things went?
Zllio


#3 willsonfang

willsonfang
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 29 June 2009 - 10:25 PM

Thankyou for replying, but as most sites - many people failed to understand the nature of this rootkit virus that affected my computer. It was inaccessible due to the fact that it restarts before i can even logon safe mode or normal mode, thus running any scan at all was impossible.

In the end I did a Windows repair, but i didn't trust that the problems where removed, thus i did a full format and reinstall.

#4 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 30 June 2009 - 12:35 AM

willsonfang,

Thanks for reporting back. You're right. At the moment I posted to you, I was thinking you could run the scans from the other drive, but in thinking about this, it wouldn't have helped in your case. I think a reformat was probably the fastest solution. There are a lot of new viruses coming out which are affecting the boot sequence and the question of how to fix something if you can't boot up is becoming one of the number one questions. Since prevention does help, I can offer you the following suggestions in case there are some you're not familiar with. Particularly, consider using Spybot's Immunization feature and SpywareBlaster. Both are oriented towards internet protection and don't drain your resources. Be sure your operating system is updated. Use McAfee's SiteAdvisor to check domains where you aren't sure what you're clicking on and especially take note of those that SiteAdvisor doesn't know anything about. I'll post some of our standard protection information in the quotes box below:

AntiSpyware Programs

Spybot and SpywareBlaster can be used simultaneously with other protection software without causing conflicts. Some antivirus software is throwing up warnings about Spybot, but these warnings are an annoyance to try and get people to stop using Spybot. There's a court case going on about this.


Spybot Search & Destroy:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers


SpywareBlaster

Using SpywareBlaster to protect your computer from Spyware and Malware


Update all antispyware programs regularly
Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.


Windows Updates


In the previous instructions I mentioned that you are missing the service packs for Windows. The easiest way to correct this is to set your computer to accept automatic updates. This will ensure that the updates are installed in the recommended order. To make sure they are turned on, go to Start > Control Panel and double-click on Security Center to open it. At the bottom you'll see four icons. One of these is Automatic Updates. Click on this, and in the small window that opens up, check Automatic (recommended). For further reading about windows updates and if you wish to install the updates manually, please see the information in the box below.

unpatched Windows systems are a security risk to everyone on the internet. Malware spreads faster and more extensively. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. So keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. Here is some more information about using updates:How to use Microsoft Update. Further information can be found at Windows Xp Service Pack 3 (sp3) Information

You can check for and install Microsoft applications at Microsoft applications


Please reboot and repeat the update process until there are no more updates to install.



Practice Safe Internet

Below is a list of simple precautions to take to keep your computer clean and running securely:


[*] If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.


[*] If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.


[*] If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.


[*] If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.

There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites


[*] Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.


[*] Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.


[*] When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.


[*] Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.


[*] Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.


[*] DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
[/list]



Make your Internet Explorer more secure - This can be done by following these simple instructions:


(unless you are using ZoneAlarm Security Suite or something similar, then you would secure the browser thru the firewall).* From within Internet Explorer click on the Tools menu and then click on Options.
* Click once on the Security tab
* Click once on the Internet icon so it becomes highlighted.
* Click once on the Custom Level button.
* Change the Download signed ActiveX controls to Prompt
* Change the Download unsigned ActiveX controls to Disable
* Change the Initialise and script ActiveX controls not marked as safe to Disable
* Change the Installation of desktop items to Prompt
* Change the Launching programs and files in an IFRAME to Prompt
* Change the Navigate sub-frames across different domains to Prompt
* When all these settings have been made, click on the OK button.
* If it prompts you as to whether or not you want to save the settings, press the Yes button.
* Next press the Apply button and then the OK to exit the Internet Properties page.


Also see the following:


Working with Internet Explorer 6 Security Settings

Use a different browser other than IE (most exploits are pointed towards IE). One of them is Firefox

It is also worth trying Thunderbird for controlling spam in your e-mail.



Free software for keeping your computer safe


Simple and easy ways to keep your computer safe and secure on the Internet


And more freeware programs regarded as useful by the users of this forum:


Commonly Used Freeware Replacements

Please also have a look at the following links, giving some advice and suggestions for preventing future infections:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users