Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It all started w/bytedefender


  • This topic is locked This topic is locked
15 replies to this topic

#1 panicki

panicki

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 04 June 2010 - 03:04 PM

It all started w/bytedefender. Symantec proved useless, we got a free year of webroot w/my husband's computer so I tried that, and it didn't work. I uninstalled webroot (I can see on the logs some of that's still hanging around) A friend gave me a pc cleaning guide and a removeable disk w/tfc.exe, erunt, adaware, spybot, malewarebytes, gmer, otl.exe and combofix. (I did not run combofix)

I either didn't trust or was not able to run a lot of those so I started looking here for answers and rkill allowed me to run malewarebytes. It looks to be free from the bytedefender popups and such but websites reroute to g.blahblah.com or wapp.verizon.net and won't load. I also have registry mechanic on the machine and ran it and found 98 problems but did not click on repair. The desktop is sluggish and sometimes locks up during the scans. (like now) I am using another computer and a flashdrive to create logs and post here. I am running gmer and dds now. I have the 2 logs ready but they are not zipped because of the computer freezing. Can I post them unzipped? I did get them saved before the freeze.

God bless you if you know what the heck I'm talking about and can help in any way. Thanks!!

I added the 2 logs to my original post. I'm running gmer again, will add it to this post when it's finished running.

gmer log attached.

Merged 3 posts. ~ OB

Attached Files


Edited by Orange Blossom, 05 June 2010 - 04:58 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:42 PM

Posted 07 June 2010 - 03:53 PM

Hi panicki,

Welcome to the malware removal forum.

If the issue is not resolved please update me on the current condition of your computer.

Also perform the following:

Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

CODE
@echo off
mbr.exe -t
Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /f
Reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
proxycfg -d
start mbr.log

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate look.bat on the desktop. It should look like this:
  • Double-click to run it.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#3 panicki

panicki
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 07 June 2010 - 04:34 PM

Hi Farbar,

I haven't done anything since I posted the other 3 logs on the previous post. You are the first person to try to help (much obliged!!).

I did what you asked mbr log attached.

Thanks for helping me.

-Nicki

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:42 PM

Posted 07 June 2010 - 04:38 PM

You are welcome but you forgot to attach or upload the attachment. You may just copy and paste it.

#5 panicki

panicki
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 07 June 2010 - 06:52 PM

I uploaded it again, but here it is c/p:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Attached Files

  • Attached File  mbr.log   195bytes   6 downloads


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:42 PM

Posted 07 June 2010 - 07:03 PM

No need to attach. Please just copy and paste unless otherwise requested.

The log misses one important line. Please run the batch file again and post the log.

#7 panicki

panicki
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 07 June 2010 - 07:24 PM

That's all it will give me. I just ran it again and a black window w/white text comes up on the screen(and disappears before I can even read any of it) and the log I pasted above is the only thing I'm left with. Only those same lines. Can I do anything else?

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:42 PM

Posted 08 June 2010 - 02:06 AM

Please remove look.bat and try this batch file:

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

CODE
@echo off
if exist mbr.log del mbr.log
mbr.exe -t
ping 1.1.1.1 -n 1 -w 1000 >nul
start mbr.log

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate look.bat on the desktop. It should look like this:
  • Double-click to run it.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#9 panicki

panicki
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 08 June 2010 - 07:31 AM

Thanks again for helping me, you patience is appreciated!

I ran the batch you sent and it tells me 'mbr.exe' is not recognized as an internal or external command, operable program or batch file.

Okay, forget all that, I figured out that I had saved mbr as mbe.

Here's the new log from the 2nd .bat

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:42 PM

Posted 08 June 2010 - 10:02 AM

  1. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  2. Apart from the proxy setting that we was added by the malware and we removed with the first batch file, the mbr.log and all the other logs do not show anything suspicious. We can run other tools or scanners but I would like to know if you observe any issue that justifies digging deeper. So please use the computer for a while, update your security programs, use internet browser and tell me if you see any issues.


#11 panicki

panicki
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 08 June 2010 - 12:14 PM

I downloaded mbam-rules on a flash for manual install and it didn't find anything but now I was able to dld the update. Here's the log. I'm running again since the direct update downloaded and I'll see if there is anything else to report in about an hour.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4125

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/8/2010 12:45:23 PM
mbam-log-2010-06-08 (12-45-23).txt

Scan type: Full scan (C:\|F:\|)
Objects scanned: 209292
Time elapsed: 1 hour(s), 16 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:42 PM

Posted 08 June 2010 - 02:02 PM

I'll wait for the update.

Just one thing: MBAM is not updated to the latest Data Base version: 4180. You should keep updating until it says you have the latest update.

#13 panicki

panicki
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 08 June 2010 - 02:34 PM

Was any of that intended to be a fix? It seems to be working now.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:42 PM

Posted 08 June 2010 - 02:50 PM

The only fix was the first batch file that removed the proxy setting that was added by the malware.

It looks good. thumbup2.gif
  1. Please download OTC and save it to Desktop.
    • Make sure you have internet connection.
    • Double-click OTC. In Windows Vista right-click to run it as administrator.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.

  2. You may delete any tool or log we used from your computer.

  3. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.


Happy Surfing panicki. smile.gif



#15 panicki

panicki
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 08 June 2010 - 03:36 PM

Thank you thank you thank you!!!!! I'm doing all of that now.

Who rocks the internet? Farbar rocks the internet!!!

Thanks!! Thanks!! Thanks!!

Edited by panicki, 08 June 2010 - 04:27 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users