Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection - Security Intrusion


  • This topic is locked This topic is locked
15 replies to this topic

#1 Laney31

Laney31

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 05 June 2010 - 07:58 PM

Hi. For the past week I have been getting intrusion detection notifications from Norton Internet Security. The messages will read "Severity: High. Activity: An intrusion attempt by m01n83kjf7.com. Status: Blocked. Recommended Action: No Action required". The last message was just ten minutes ago. Yesterday I did a full scan with Norton Internet Security. Only cookies showed up in the results. I also did a scan with "Super AntiSpyware" - same results, only cookies. I am not sure what should be my next option.

I tried creating a GMER log twice and each time my computer automatically restarted itself and then I would get a blue screen. I am pretty much at my wits end. Thank you for reading.

Here is a copy/paste of the DDS.txt log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by V-LO at 19:55:24.47 on Sat 06/05/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3069.1743 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Webroot Spy Sweeper *enabled* (Updated) {13B21AD6-3C95-4498-81A6-C5A79EF30475}
SP: Spy Sweeper *enabled* (Updated) {00000000-0000-0000-0000-000000000000}
SP: Spy Sweeper *disabled* (Outdated) {00000000-E9D0-004F-D859-4D0000000000}
SP: Webroot Spy Sweeper *disabled* (Updated) {00000000-9290-004F-9809-4D0001000000}
SP: Webroot Spy Sweeper *disabled* (Updated) {00000000-9280-004F-9809-4D0001000000}
SP: Spy Sweeper *disabled* (Outdated) {00000000-9280-004F-9809-4D0000000000}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Norton Internet Security *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Webroot Spy Sweeper *disabled* (Updated) {00000000-E9D0-004F-D859-4D0001000000}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dlcxcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Dwm.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Program Files\Norton Save and Restore\Agent\VProTray.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Users\V-LO\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
uRun: [Window Washer] "c:\program files\webroot\washer\wwDisp.exe"
uRun: [Uninstall_CToolbar] "c:\users\v-lo\appdata\local\temp\CUninst.exe" /remove
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [VolPanel] "c:\program files\creative\sbaudigy\volume panel\VolPanlu.exe" /r
mRun: [UpdReg] "c:\windows\UpdReg.EXE"
mRun: [Norton Save and Restore 2.0] "c:\program files\norton save and restore\agent\VProTray.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /s
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 926\memcard.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DLCXCATS] "rundll32" c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\v-lo\appdata\roaming\mozilla\firefox\profiles\ofm3halo.default\
FF - prefs.js: browser.startup.homepage - chrome://sitelauncher/content/home.html
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\users\v-lo\appdata\roaming\mozilla\firefox\profiles\ofm3halo.default\extensions\{0c7e3f01-99e9-4095-9bdc-f84724960b57}\plugins\NPCpnMgr.dll
FF - plugin: c:\users\v-lo\appdata\roaming\mozilla\firefox\profiles\ofm3halo.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\users\v-lo\appdata\roaming\realarcade\npraclient.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-24 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-24 173104]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-24 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\ipsdefs\20100528.003\IDSvix86.sys [2010-5-28 344112]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-15 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 66632]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-24 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1107000.00c\symtdiv.sys [2010-5-24 339504]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-24 126392]
R2 Norton Save and Restore;Norton Save and Restore;c:\program files\norton save and restore\agent\VProSvc.exe [2007-2-13 3425632]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-2-7 1201640]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2010-4-3 598856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
R3 OEM03Afx;Provides a software interface to control audio effects of OEM003 camera.;c:\windows\system32\drivers\OEM03Afx.sys [2008-10-28 141376]
R3 OEM03Vfx;Creative Camera OEM003 Video VFX Driver;c:\windows\system32\drivers\OEM03Vfx.sys [2008-10-28 7424]
R3 OEM03Vid;Creative Camera OEM003 Driver;c:\windows\system32\drivers\OEM03Vid.sys [2008-10-28 235808]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2008-11-1 31616]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 12872]
S3 wrssweep;Webroots Volume Access Driver;c:\program files\webroot\washer\wrSSweep.sys [2010-4-3 21832]

=============== Created Last 30 ================

2010-06-05 23:40:44 0 ----a-w- c:\users\v-lo\defogger_reenable
2010-06-05 23:29:38 264888150 ----a-w- c:\windows\MEMORY.DMP
2010-06-05 19:37:02 0 d-----w- c:\program files\Runtime Software

==================== Find3M ====================

2010-06-05 23:30:50 31776 ----a-w- c:\programdata\nvModes.dat
2010-06-05 02:48:43 5528 ----a-w- c:\users\v-lo\appdata\roaming\wklnhst.dat
2010-05-05 22:41:03 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-05 22:41:03 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-05 22:41:02 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-16 12:33:36 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 12:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-21 23:57:11 202096 ---ha-w- c:\windows\system32\mlfcache.dat
2008-12-14 23:58:52 174 --sha-w- c:\program files\desktop.ini
2008-10-28 22:18:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-11-01 13:57:46 76 --sh--r- c:\windows\CT4CET.bin
2009-10-31 16:37:25 16384 --sha-w- c:\windows\system32\%appdata%\microsoft\windows\iecompatcache\index.dat
2009-10-31 16:37:25 32768 --sha-w- c:\windows\system32\%appdata%\microsoft\windows\privacie\index.dat
2009-10-31 16:37:25 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2009-10-31 16:37:25 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009103120091101\index.dat
2009-06-11 00:02:10 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-10-28 22:08:28 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:56:07.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:10 PM

Posted 08 June 2010 - 03:40 PM

Hi Laney31,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes.
  1. You two antispyware at the time running. It might lead to system problems. Please uninstall either Spy sweeper or SupperAntiSpyware or at least configure one of them in order not start up with Windows.

  2. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @ECHO OFF
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1500 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Right-click to run it as administrator.
    • A notepad opens, copy and paste the content (log.txt) to your reply.


#3 Laney31

Laney31
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 08 June 2010 - 08:00 PM

Hello. Thank you for your help.

I did exactly as you stated. I right clicked and opened as administrator. The file flashes open and closes quickly. Then I restarted, did the same process it would open for a short while and quickly close but a notepad did not open. What am I doing wrong?

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:10 PM

Posted 08 June 2010 - 08:26 PM

Did you download mbr.exe and saved it to C:\Windows directory?

#5 Laney31

Laney31
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 08 June 2010 - 09:23 PM

Yes. And to be sure, I re-did as instructed and the same thing occurs as previously stated above.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:10 PM

Posted 08 June 2010 - 09:29 PM

Let's try this:

Run Command Prompt as administrator:
  • Click on Start button.
  • Type Cmd in the Start Search text box.
  • Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator.

Type or copy and then right-click and paste the following lines one by one and press Enter after each line:

mbr.exe -t
start mbr.log



#7 Laney31

Laney31
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 08 June 2010 - 09:36 PM

Okay, when I copied and pasted the first line, I got the following message:

"mxbr.exe is not recognized as an internal or external command, operable program or batch file"

The second one:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:10 PM

Posted 08 June 2010 - 09:49 PM

QUOTE
"mxbr.exe is not recognized as an internal or external command, operable program or batch file"


You typed the wrong command and the log was and old one. Please download the batch file, right-click to run it as administrator and post the log.



#9 Laney31

Laney31
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 08 June 2010 - 10:25 PM

Okay, I am not sure if I am doing this correctly. Twenty minutes after I downloaded the file, right clicked to run it s administrator, this log popped open:

C:\Users\V-LO\Downloads\mbrlog.bat
c:\Users\V-LO\Downloads\mbr.exe
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85713D01]<<
kernel: MBR read successfully
user & kernel MBR OK

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:10 PM

Posted 09 June 2010 - 01:09 AM

This is the log we needed. You did not saved mbr.exe in the Windows directory. It shows you are not following the directions and not telling me why you are not following them. I'm sorry but it looks like you let me work hard because you are not ready to pay attention. It creates serious doubt in my mind if online malware removal suits you in resolving the issue. Online assistance means working both together and being able to read and follow the directions exactly as they are.





#11 Laney31

Laney31
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 09 June 2010 - 09:44 AM

I have been paying attention. I am not a computer expert. I have been trying to save the document in the Windows directory and following each one of the steps that you provided. I waited nearly three days for a response and I have been extremely courteous and professional in my response. When I get back I can follow the steps once again.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:10 PM

Posted 09 June 2010 - 11:51 AM

The posts are all there. You never said you couldn't save the file in the Windows directory even when I asked explicitly. You even didn't said you tried to do it. You said you did it and confirmed it once more after my explicit question. I am also professional in my reply and nothing is personal. Since we have talked this once via PM we better move on.

For the future you can do the following to have control over the location of download:

In order to have the option to change the download location run Firefox:
Under Tools menu select Options... under download section check:
    Show the Downloads window when downloading a file.
    Always ask me where to save files.
Click OK


***********

We are going to run this special tool.
  • Please download TDSSKiller.exe and save it to your desktop.
  • Run TDSSKiller.exe.
  • When it finished press any key to continue.
  • Let reboot if needed and tell me if it needed a reboot.
  • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.


#13 Laney31

Laney31
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 09 June 2010 - 07:41 PM

Hello,

I downloaded and ran the program. There needed to be a reboot. I have attached the log.

Attached Files



#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:10 PM

Posted 09 June 2010 - 09:08 PM

Hi,

The rootkit is taken care off and Norton should have stopped complaining. thumbup2.gif
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 20 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.

  2. Please download OTC and save it to Desktop.
    • Make sure you have internet connection.
    • Double-click OTC. In Windows Vista right-click to run it as administrator.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.

  3. You delete any tool or log we used from your computer.

  4. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run (alternatively you can press Wiindows ke+R key) then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Under "System Restore and Shadow copies" section click "Clean Up" to remove all previous restore points except the newly created one.
    • Click OK and Yes.


Happy Surfing. smile.gif

#15 Laney31

Laney31
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 09 June 2010 - 10:52 PM

I did everything you instructed. Thank you so much. Hopefully this problem is resolved.

Again, thank you smile.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users