Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Virus creating multiple software proble,s


  • Please log in to reply
12 replies to this topic

#1 Jason Davis

Jason Davis

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 01 February 2010 - 12:20 PM

Hello! I found this site through Google and and it seems to be the best place to start. My computer recently seems to have come down with a virus and I'm not sure what I can do at this point.

Computer: 2005 Dell Dimension 5100, Running XP Professional SP3. I had McAffee I get with AT&T internet, but I just got rid of it after these problems started.

Problem: Computer began to get slow and would hang up completely, control alt delete would not do anything. I tried system restore, and it would not allow me to complete it. It will reboot and say it cannot restore to a previous time. I tried multiple dates, none would work except for one date that was after it already seemed infected.

Symptoms: main reason I suspected a virus is everytime I would try to log onto paypal, ebay, etc, it would always pop up a new window after the log in screen, even though the address bar would list the correct address, asking for personal information including credit card info and even the ATM pin number :thumbsup: . It always freezes at some point. I downloaded spybot and installed Norton 2010, but neither are allowed to complete a scan without hanging up. In general, whatever it is will not allow me to shut down the computer. I ran norton in safe mode, but it finds nothing, while in normal mode it finds things but freezes mid scan. If I can't get any antivirus software to be allowed to complete and I cannot restore, what can I do? Thank you!!!!!!!!

Edited by Pandy, 01 February 2010 - 01:20 PM.
Moved from Windows XP Home and Pro ~Pandy


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:50 PM

Posted 01 February 2010 - 02:36 PM

It's possible that you have an infected Master Boot Record so lets check it to be sure.

Please download mbr.exe and save it to your desktop <- (Important!).
  • Double-click on mbr.exe and allow the mbr.sys driver to load if asked.
  • A black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved on your desktop.
  • Copy and paste the results of the mbr.log in your next reply.
Also, go to Posted Image > Control Panel > User Accounts, then C:\Documents and Settings\ and let me know if there is a HelpAssistant Account listed.

Edited by boopme, 19 March 2010 - 09:09 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Jason Davis

Jason Davis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 01 February 2010 - 04:11 PM

Great, thank you!!! I will give it a try as soon as I get home from work and report back. Thanks again.

I also wanted to report that when it crashes, if you try to hit any keys it will usually start a beep from the PC speaker that will continue until you turn it off manually. It also seems to be constantly chugging (hard drive) when it is working.

#4 Jason Davis

Jason Davis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 01 February 2010 - 05:20 PM

Don't have a helpassistant account listed.

Looks like there's some definite problems:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

What's next?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:50 PM

Posted 01 February 2010 - 06:25 PM

First, open Windows Explorer and rename the C:\mbr.log to C:\mbrold.txt <- if the extension does not show, you need to Reconfigure Windows to show hidden file extensions for known file types.

Make sure mbr.exe is placed in the root directory, usually C:\ <- (Important!).
Then go to Posted Image > Run..., and in the Open dialog box, type: cmd
press Ok.
The command prompt needs to be at the root directory (C:\>_). To do that, type: cd \
press Enter.
At the command prompt C:\>_, type: mbr.exe -f
(make sure you have a space before the e and the -f)
press Enter.
At the command prompt, type: exit
press Enter.

A new report will be created at C:\mbr.log. Please copy and paste the results in your next reply.

-- If you're not sure how to use the command prompt, please refer to this guide: Introduction to the Command Prompt
-- Vista users can refer to these instructions to open a command prompt

I also wanted to report that when it crashes...It also seems to be constantly chugging (hard drive) when it is working.

Crashes (BSOD), unexpected shutdowns, sudden freezing, random restarting, and booting problems during or after running anti-malware scanners can be symptomatic of a variety of things to include problems encountered with certain types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, etc) that are being scanned. Crashes can also be symptomatic of hardware/software issues, overheating caused by a failed processor fan, bad memory (RAM), failing or underpowered power supply, CPU overheating, motherboard, video card, faulty or unsigned device drivers, CMOS battery going bad, BIOS and firmware problems, dirty hardware components, programs hanging or unresponsive in the background, and even malware. Even legitimate programs like CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) can trigger crashes, various stop error messages and system hangs so you may or may not be dealing with multiple issues which are not all malware related. Troubleshooting for these kinds of issues can be arduous and time consuming. There are no shortcuts.

When Windows XP detects a problem from which it cannot recover, it displays Stop Error Messages which contain specific information that can help diagnose and resolve the problem detected by the Windows kernel. An error message can be related to a broad number of problems such as driver conflicts, hardware issues, read/write errors, and software malfunctions and malware. In Windows XP, the default setting is for the computer to reboot automatically when a fatal error or crash occurs. You may not see the error code because the computer reboots too fast.

An easier alternative is to turn off the automatic reboot feature so you can actually see the error code/STOP Message when it happens - this is also known as the Blue Screen Of Death (BSOD). To change the recovery settings and Disable the Automatic Restart on System Failure in Windows XP, go to Start > Run and type: sysdm.cpl
Click Ok to open System Properties.

Alternatively you can just press WINKEY + Pause/Break keys to bring up System Properties.
  • Go to the Advanced tab and under "Startup and Recovery", click on the "Settings" button and go to "System failure".
  • Make sure "Write an event to the system log" is checked and that "Automatically restart" is unchecked.
  • Click "OK" and reboot manually for the changes to take effect.
This can also be done in the Windows Advanced Options Menu as shown here here by pressing the F8 key repeatedly like you would do for entering safe mode.

-- Vista users can refer to these instructions: How To Disable the Automatic Restart on System Failure in Windows Vista.

Doing this won't cure your problem but instead of crashing and restarting you will get a blue diagnostic screen with an error code and other information to include file(s) that may be involved which will allow you to better trace your problem. Write down the full error code and the names of any files/drivers listed, then provide that information in your next reply so we can assist you with investigating the cause. Without that specific information, we would only be guessing rather than troubleshooting.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Jason Davis

Jason Davis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 01 February 2010 - 07:05 PM

so far so good....

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:50 PM

Posted 01 February 2010 - 09:59 PM

Your log indicates: original MBR restored successfully !...that's a good sign.

Now we need to confirm the results.
Restart the computer <- Important! (otherwise the next report may falsely show the infection as still present)
Then run mbr.exe the same way you did the first time.
It will create a new mbr.log.
Copy and paste the results in your next reply.

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Jason Davis

Jason Davis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 02 February 2010 - 05:25 PM

Ran the MBR again as well as the Malaware program. Running much better as we go along here, hasn't crashed again (yet)....

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !

This is the results of the quick scan from Malaware. The full scan did not find any additional problems. What is this select rebates?

Malwarebytes' Anti-Malware 1.44
Database version: 3675
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/1/2010 8:47:51 PM
mbam-log-2010-02-01 (20-47-48).txt

Scan type: Quick Scan
Objects scanned: 155381
Time elapsed: 21 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 13
Files Infected: 79

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{98279c38-de4b-4bcf-93c9-8ec26069d6f4} (Adware.SelectRebates) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{98279c38-de4b-4bcf-93c9-8ec26069d6f4} (Adware.SelectRebates) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{98279c38-de4b-4bcf-93c9-8ec26069d6f4} (Adware.SelectRebates) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{98279c38-de4b-4bcf-93c9-8ec26069d6f4} (Adware.SelectRebates) -> No action taken.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> No action taken.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> No action taken.

Folders Infected:
C:\Program Files\SelectRebates (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\content (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\locale (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\locale\en-US (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\defaults (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\defaults\preferences (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\SahImages (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\Cache (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\ImageCache (Adware.SelectRebates) -> No action taken.

Files Infected:
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\678.tmp (Trojan.Dropper) -> No action taken.
C:\Program Files\SelectRebates\SelectAlerts.dat (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\SelectRebates.ini (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\SelectRebatesA.dat (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\SelectRebatesB.dat (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\SelectRebatesBT.dat (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\SRebates.dll (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\SRFF3.dll (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome.manifest (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\install.rdf (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\content\options.js (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\content\options.xul (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\content\sahtoolbar.js (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\content\sahtoolbar.xul (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\locale\en-US\contents.rdf (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\locale\en-US\sahtoolbar.dtd (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\locale\en-US\sahtoolbar.dtd.skin (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\locale\en-US\sahtoolbar.properties (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\3rdParty.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\add-folderplus.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\add-plussign.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\alert-blue.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\alert-red.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\bluebar.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\dollarsign.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\FindWords.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\gripper.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\icon-magnifying.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\invite.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\invite2.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\my-blue.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\my-gray.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\my-green.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\my-red.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\Options.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\S.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\SAH-LogoHotSpots.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\SAH-logotext.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\SAH-mainlogo-v1.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\SAH-mainlogo-v2.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\sahtoolbar.css (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\Scissors.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\Search.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\shoppingcart.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\singleperson.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\star.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\thumb2.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\Thumbs.db (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\toolbar-images-ALL.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\Toolbar_HelpAndFeedback.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\chrome\skin\Wrench.png (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\SahImages\bg-gradient.gif (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\SahImages\button-close.gif (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\SahImages\sah-logopop.gif (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\Add.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\AdvancedOptions.html (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\basis.xml (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\Basis.xml.dym (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\Blank.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\button-CloseWindow.gif (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\icons.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\Invite.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\i_clipboard.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\i_help.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\i_magnifying.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\logo.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\logo_24.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\logo_HotSpots.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\MyNew.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\MyNone.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\MyPage.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\Rate.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\RightControls.dym (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\sah_logo_bars.gif (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\Scissors.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\Tools.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\Tools2.bmp (Adware.SelectRebates) -> No action taken.
C:\Program Files\SelectRebates\Toolbar\ImageCache\alert-red.bmp (Adware.SelectRebates) -> No action taken.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:50 PM

Posted 03 February 2010 - 09:57 AM

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 3675. Last I checked it was 3682.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Jason Davis

Jason Davis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 03 February 2010 - 05:29 PM

This is the result of the latest scan. Should I still be concerned with those results of the MBR?

Malwarebytes' Anti-Malware 1.44
Database version: 3685
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/3/2010 5:27:23 PM
mbam-log-2010-02-03 (17-27-23).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|G:\|)
Objects scanned: 246644
Time elapsed: 1 hour(s), 49 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:50 PM

Posted 03 February 2010 - 06:27 PM

Your log after using "mbr.exe -f" indicated: original MBR restored successfully !
The confirmation log results say both the user & kernel MBR are OK.

The presence of malicious code and a PE file indicates that there was an infection but it has been cleaned and the MBR has been restored successfully. Mebroot overwrites the MBR of the hard disk and uses rootkit techniques to hide itself. The installer of the rootkit writes the content of a malicious kernel driver to the last sectors of the disk, and then modifies sectors to include sector 0 (MBR). According to gmer, fixmbr restores only sector 0 (MBR) and as such, mbr.exe will always show all sectors that were related to Mebroot even after the infection is removed.

How is your computer running now? Are there any more reports/alerts, signs of infection or issues with your browser?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Jason Davis

Jason Davis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 04 February 2010 - 05:27 PM

Actually, its running pretty close to normal, and was night and day as soon as that Rootkit was removed. I didn't know how it worked with the MBR, thanks for explaining that.... I'm only savvy with the basics so that was all new to me.

Can't thank you enough for your help, I was a stone's throw from reformatting and starting from scratch... and dreading the prospect. Thanks again!!!

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:50 PM

Posted 05 February 2010 - 08:50 AM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users