PDA

View Full Version : Backdoor bots and trojans



Yoshi
2010-03-15, 21:34
Hi there,

I have had a virus for a while (it started about 2 weeks ago, though could be 3-4) which AVG have kindly helped me remove on their forums. Here's the link to the thread...

http://forums.avg.com/gb-en/avg-free-forum?sec=thread&act=show&id=68779

I've appreciated their help as it means me and my wife can use the basic tools on our computer for our work.

However we still seem to be having problems with malware - trojans and backdoor bots. Now the virus is gone and I've looked through some of this forum and it says it may be better to format and reinstall even if the malware is gone, I was wondering if this is now what I need to do.

I've followed the "what to do before you post" and here is my current hijackthis log which I've just done:

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://news.bbc.co.uk
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171875240406
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game13.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.6.0_10) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

I don't know how helpful this is, but here are 3 Malwarebyes anti-malware logs at different times - the backdoor bots seem to have been fixed now but they did reoccur.

1st one - full scan 25th Feb 10

Malwarebytes' Anti-Malware 1.44
Database version: 3796
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

26/02/2010 21:17:39
mbam-log-2010-02-26 (21-17-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 219116
Time elapsed: 2 hour(s), 41 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 3
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\4dw4r3 (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\none (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe amht.xfo kixxkk) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\Temp\B5.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\A2.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\C1.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5087252A-BB95-4C92-88A8-9E0374597BFE}\RP398\A0063514.sys (Malware.Packer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

Having just pasted this it would seem that malware did actually 'catch' the file that caused the main virus - sdra64.exe. I guess it didn't manage to fix it however - read the AVG thread for the saga!

2nd main one, a quick scan to see if anything was still there, the backdoor bots came up again...

Malwarebytes' Anti-Malware 1.44
Database version: 3815
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

03/03/2010 21:43:17
mbam-log-2010-03-03 (21-43-17).txt

Scan type: Quick Scan
Objects scanned: 26577
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I also did a full scan yesterday:

Malwarebytes' Anti-Malware 1.44
Database version: 3855
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

14/03/2010 21:03:12
mbam-log-2010-03-14 (21-03-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 231433
Time elapsed: 2 hour(s), 35 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{5087252A-BB95-4C92-88A8-9E0374597BFE}\RP404\A0065612.exe_INFECTED.arl (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5087252A-BB95-4C92-88A8-9E0374597BFE}\RP404\A0068668.exe_INFECTED.arl (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5087252A-BB95-4C92-88A8-9E0374597BFE}\RP404\A0070680.exe (Trojan.ZBot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\17.tmp (Trojan.ZBot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\2E.tmp_INFECTED.arl (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\pdfupd.exe_INFECTED.arl (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.


Sorry if all of this is far too much info (I have a log from a full spoybot scan too). I really would just like to know if I need to format my PC and start again. Me and my wife have already changed all our passwords for our various online accounts on a clean computer.

It's not been a waste fixing the virus as it means we can use the PC to do word processing and things but we want to make sure about going back into things like our bank accounts and stuff.

Many thanks

Dakeyras
2010-03-17, 16:10
Hi,

After researching the logs posted here in Safer Networking and also over in the AVG forum.

I have bad news I'm afraid. :sad:

One or more of the identified infections is a Backdoor Trojan plus evidence of Rookit activity.

OK since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows operating system, and that is the course we strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can attempt to clean this machine but I can't guarantee that it will be at all secure afterwords.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.

Yoshi
2010-03-20, 17:57
Hi, thanks for the advice. I am now getting ready to format the machine.

I presume it's ok to download things like SP2 (for putting them on a external harddrive) and SP3 for the reinstall offline?

We changed our passwords/codes on a clean computer a couple of weeks ago and haven't logged into anything for some time.

Hopefully see you on the other side...though have a computer at work to check in!

Dakeyras
2010-03-20, 21:52
Hi. :)


Hi, thanks for the advice. I am now getting ready to format the machine.You're welcome!


I presume it's ok to download things like SP2 (for putting them on a external harddrive) and SP3 for the reinstall offline?Aye that is fine, though actual critical security updates you will need to visit Microsoft Update for them etc.


We changed our passwords/codes on a clean computer a couple of weeks ago and haven't logged into anything for some timeGood, I was aware you had done so from your original post but merely mentioned it again just in-case as a precaution with a view to your own online security.


Hopefully see you on the other side...though have a computer at work to check in! OK, I would like to check the MBR(master boot record) on your machines hard-drive when you have completed the reformat and reinstallation of the Windows operating system. Do not be alarmed by this but merely view it as myself ensuring the security of your computer.

Below is some advice about what to install/safety advice after the format and the reinstallation of the Windows operating system.

Reformat and Reinstallation Advice:

This is a excellent resource I recommend reading:-

How to prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)


Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
Here are some free Anti Virus programs which I recommend to use:

Antivir PersonalEditionClassic (http://www.free-av.com/)
Free anti-virus software for Windows.
Detects and removes more than 50,000 viruses. Free support.
avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html)
Anti-virus program for Windows.
The home edition is freeware for noncommercial users.
Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
Here are some free Firewalls which I recommend to use:
(Use only one, and disable your Windows Firewall)

Sunbelt Kerio (http://www.sunbelt-software.com/Kerio.cfm)
Outpost (http://www.agnitum.com/products/outpostfree/download.php)
Jetico Personal Firewall (http://www.jetico.com/)
Note: Only ever have installed/use one Anti-Virus application and Software Firewall. Otherwise a system conflict will occur and this also lessens overall online protection!

Keep your system updated- Microsoft releases patches for Windows and other products regularly:

I advise you visit: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
Install the Active X
Once installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:
Start >> All Programs >> Microsoft Updates

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Malwarebytes' Anti-Malware - Download it from here (http://www.besttechie.net/tools/mbam-setup.exe)
The tutorial on how to use MBAM is located here (http://thespykiller.co.uk/index.php?PHPSESSID=12a63a8f9a27c9b153f67c04a5c10955&topic=5946.0)
Install WinPatrol - Download it from here (http://www.winpatrol.com/download.html)
You can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
The tutorial on how to use Spyware Blaster is located here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well after the format and the reinstallation of the Windows operating system.

Help! My computer is slow! (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)

Also so is this:

What to do if your Computer is running slowly (http://www.malwareremoval.com/tutorials/runningslowly.php)

Yoshi
2010-03-22, 12:42
Hi, I have now formatted and reinstalled Windows and am about to put it online tonight. How do I do the scan that you mentioned before?

Thanks

Dakeyras
2010-03-22, 13:01
Hi. :)

MBR Rootkit Detector:

Download mbr.exe from here (http://www2.gmer.net/mbr/mbr.exe) and save it to your desktop
Double-click mbr.exe to run the tool
You will see the flash of a window, and then a log mbr.txt will be located on your desktop
Post the contents of this log in your next reply

Yoshi
2010-03-23, 14:54
OK, thanks. Having driver issues to get on the net currently but will do the scan as soon as I can.

I wanted to ask something: for this kind of malware, is it worth actually cancelling our bank cards and getting new ones? I'm worried that we made some online payments while the malware was affecting the PC. Nothing has gone out of our accounts or anything but my banks can't really do a 'fraud watch' really they said if I'm worried to cancel the cards and get new ones. Not sure whether to do this or not really and if people actually can get your details from when you do online payments?

Dakeyras
2010-03-23, 15:31
Hi. :)


OK, thanks. Having driver issues to get on the net currently but will do the scan as soon as I can. OK no problem and you're welcome!

Such is not really my sphere of expertise I'm afraid but if you require assistance with Driver related issues the below forums I am a member of have outstanding IT Support Staff:-


PC Pitstop (http://forums.pcpitstop.com/)
What the Tech (http://forums.whatthetech.com/forums.html)

I wanted to ask something: for this kind of malware, is it worth actually cancelling our bank cards and getting new ones? I'm worried that we made some online payments while the malware was affecting the PC. Nothing has gone out of our accounts or anything but my banks can't really do a 'fraud watch' really they said if I'm worried to cancel the cards and get new ones. Not sure whether to do this or not really and if people actually can get your details from when you do online payments? The thing with Financial Institutions is you will not always be dealing with a individual who is aware of all the possible ramifications concerning malware and or provide the correct advice. Sad but true most unfortunately. Myself to err on the side of caution it would be prudent to cancel all cards that have been used online and ask for new ones. This minor inconvenience far outweighs the possibility of either identity theft or any of the accounts associated becoming compromised in the future as I have no idea how long your machine may have been so badly infected and who may have gained access to pertinent information and wait until a later date to act upon it to lull people into a false sense of security.

Both myself and wife use online banking and purchase occasionally online also and if in your situation I would not hesitate to carry out my own advice to your good self.

Yoshi
2010-03-23, 23:41
Hi, MBR scan (managed to get the drivers sorted, typically forgot about needing drivers for my network card!)

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Um...is that seems to be all of it? Hopefully that's ok.

Thanks for the advice about the bank cards, we're going to be safe and get new ones I think.

Dakeyras
2010-03-24, 00:25
Hi. :)


Um...is that seems to be all of it? Hopefully that's ok.
Absolutely fine, now just delete both MBR.exe and the log-file then empty the Recycle Bin.


Thanks for the advice about the bank cards, we're going to be safe and get new ones I think. You're most welcome and stay safe!

Dakeyras
2010-03-25, 01:15
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.