SB doesn't remove "Somoto.BetterInstaller"
Spybot has found "Somoto.BetterInstaller" malware in my PC. Then, after it has been fixed by SB, it is detected in the next scan again.
I would like to know how to remove definitely this threat from my PC.
The software from Somoto is already uninstalled but this malware is identified as a registry key type by SB.
1 Attachment(s)
aswMBR.log and MBR.dat (zipped)
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-10-04 17:37:47
-----------------------------
17:37:47.077 OS Version: Windows 6.1.7601 Service Pack 1
17:37:47.077 Number of processors: 2 586 0x170A
17:37:47.079 ComputerName: ANAEANO-PC UserName: anaeano
17:37:47.763 Initialize success
17:52:24.522 AVAST engine defs: 13100401
17:52:33.701 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
17:52:33.704 Disk 0 Vendor: WDC_WD3200AAJS-00B4A0 01.03A01 Size: 305245MB BusType: 3
17:52:33.810 Disk 0 MBR read successfully
17:52:33.815 Disk 0 MBR scan
17:52:33.828 Disk 0 Windows 7 default MBR code
17:52:33.834 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 10000 MB offset 2048
17:52:33.861 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 295243 MB offset 20482048
17:52:33.877 Disk 0 scanning sectors +625139712
17:52:33.966 Disk 0 scanning C:\Windows\system32\drivers
17:52:50.178 Service scanning
17:52:58.163 Service GbpKm C:\Windows\system32\drivers\gbpkm.sys **LOCKED** 32
17:53:20.384 Modules scanning
17:53:25.358 Disk 0 trace - called modules:
17:53:25.376 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
17:53:25.380 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85a32030]
17:53:25.386 3 CLASSPNP.SYS[88fb159e] -> nt!IofCallDriver -> [0x8595a7e0]
17:53:25.391 5 ACPI.sys[88aab3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x8594d338]
17:53:26.206 AVAST engine scan C:\Windows
17:53:29.549 AVAST engine scan C:\Windows\system32
17:59:27.509 AVAST engine scan C:\Windows\system32\drivers
17:59:52.500 AVAST engine scan C:\Users\anaeano
18:03:28.212 AVAST engine scan C:\ProgramData
18:04:40.973 Scan finished successfully
18:20:40.404 Disk 0 MBR has been saved successfully to "C:\Program Files\aswMBR\MBR.dat"
18:20:40.411 The log file has been saved successfully to "C:\Program Files\aswMBR\aswMBR.txt"
RKreport[0]_D_10072013_165239
RogueKiller V8.7.1 [Oct 3 2013] Por Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Site : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/
Sistema Operacional : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Iniciado em : Modo Normal
Usuario : anaeano [Privilegios de Admnistrador]
Modo : Remover -- Data : 10/07/2013 16:52:39
| ARK || FAK || MBR |
¤¤¤ Entradas ruins : 0 ¤¤¤
¤¤¤ Entradas do Registro : 4 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> DELETADO
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> DELETADO
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> SUBSTITUIDO (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> SUBSTITUIDO (0)
¤¤¤ As tarefas agendadas : 2 ¤¤¤
[V1][SUSP PATH] ROC_REG_JAN_DELETE.job : C:\ProgramData\AVG January 2013 Campaign\ROC.exe - /DELETE_FROM_SYSTEM=1 [7] -> DELETADO
[V2][SUSP PATH] ROC_REG_JAN_DELETE : C:\ProgramData\AVG January 2013 Campaign\ROC.exe - /DELETE_FROM_SYSTEM=1 [7] -> DELETADO
¤¤¤ entradas de inicialização : 0 ¤¤¤
¤¤¤ Os navegadores da Web : 0 ¤¤¤
¤¤¤ Arquivos / Pastas Pessoais: ¤¤¤
¤¤¤ Driver : [Carregado] ¤¤¤
[Inline] EAT @explorer.exe (?s_pClassInfo@Bind@DirectUI@@0PAUIClassInfo@2@A) : DUI70.dll -> HOOKED (Unknown @ 0xFF3F8A75)
[Inline] EAT @explorer.exe (?s_pClassInfo@CCProgressBar@DirectUI@@0PAUIClassInfo@2@A) : DUI70.dll -> HOOKED (Unknown @ 0x6F3F8A92)
[Inline] EAT @explorer.exe (?s_pClassInfo@CCRadioButton@DirectUI@@0PAUIClassInfo@2@A) : DUI70.dll -> HOOKED (Unknown @ 0x6F3F8A92)
[Inline] EAT @explorer.exe (?s_pClassInfo@ScrollViewer@DirectUI@@0PAUIClassInfo@2@A) : DUI70.dll -> HOOKED (Unknown @ 0x6F3F8576)
[Inline] EAT @explorer.exe (RegCreateKeyExW) : pkmws.dll -> HOOKED (C:\Windows\system32\ADVAPI32.dll @ 0x759240FE)
[Inline] EAT @explorer.exe (RegEnumKeyW) : pkmws.dll -> HOOKED (C:\Windows\system32\ADVAPI32.dll @ 0x7592445B)
[Inline] EAT @explorer.exe (RegOpenKeyExW) : pkmws.dll -> HOOKED (C:\Windows\system32\ADVAPI32.dll @ 0x7592468D)
[Inline] EAT @explorer.exe (RegQueryValueExW) : pkmws.dll -> HOOKED (C:\Windows\system32\ADVAPI32.dll @ 0x759246AD)
[Inline] EAT @explorer.exe (RegisterClipboardFormatW) : pkmws.dll -> HOOKED (C:\Windows\system32\USER32.dll @ 0x7513DF8D)
¤¤¤ Hives externas: ¤¤¤
¤¤¤ Infecção : ¤¤¤
¤¤¤ Arquivo de Hosts: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[...]
¤¤¤ Verificaçao do MBR: ¤¤¤
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Unidades de disco padrão) - WDC WD3200AAJS-00B4A0 ATA Device +++++
--- User ---
[MBR] a3c0de2d82b0627ed1d91fd1074efef4
[BSP] 081e1d9b6ef823f10f987314a2fbb8ab : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10000 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 20482048 | Size: 295243 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Concluido : << RKreport[0]_D_10072013_165239.txt >>
RKreport[0]_S_10072013_165157.txt