SB doesn't remove "Somoto.BetterInstaller"

[Adriano Cruz]

Dakeyras,

After all this work, SB keeps finding and not removing the initial threat:
Description: Somoto.Betterinstaller - Root class
Location: HKLM\SOFTWARE\Classes\sdp
Threat level: 10
Type: registry key
Category: MalwareC
Rule#: B8A7F4F7

In spite of that, my PC is working well.
But I would like to feel secure in using it without the threat that SB has found.

[Dakeyras]

Hi.

In spite of that, my PC is working well.

Good.

SB keeps finding and not removing the initial threat

After running the custom OTL script below(post the log created in your next reply also from the aforementioned custom script), please check for updates with Spybot and run a quick scan and let myself know if still detected please.

Glary Utilities Advice:

Such types of so called tweaking software rarely do any good and actually have the capacity to render a machine little more than a expensive doorstop, my friendly advice is you consider uninstalling the software.

Java Advice:

There has been a recent severe exploitation of this software(still on-going), further information can be read here. The aforementioned article will also explain on how to disable the plugins, though my friendly advice would be to uninstall if you do not use anything Java related.

Myself I no longer have anything Java related installed on my machines.

Custom OTL Script:

• Right-click OTL.exe and select Run as Administrator to start the program.
• Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Commands
[CreateRestorePoint]

:OTL
IE - HKU\S-1-5-21-3550818114-746151525-2354952759-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:21320
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O9 - Extra 'Tools' menuitem : Console Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3550818114-746151525-2354952759-1000\..Trusted Domains: bancobrasil.com.br ([www] * in Sites confiáveis)
O15 - HKU\S-1-5-21-3550818114-746151525-2354952759-1000\..Trusted Domains: bancobrasil.com.br ([www14] * in Sites confiáveis)
O15 - HKU\S-1-5-21-3550818114-746151525-2354952759-1000\..Trusted Domains: bancobrasil.com.br ([www2] * in Sites confiáveis)
O15 - HKU\S-1-5-21-3550818114-746151525-2354952759-1000\..Trusted Domains: bb.com.br ([www] * in Sites confiáveis)
[2013/10/09 11:21:41 | 000,000,314 | ---- | M] () -- C:\Windows\tasks\GlaryInitialize.job
@Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:0B4227B4

:Files
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c
netsh winsock reset all /c
netsh int ip reset all /c
netsh advfirewall reset /c 
netsh advfirewall set allprofiles state on /c 

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\sdp]

:Commands
[EmptyTemp]

• Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
• Then click the red Run Fix button.
• Let the program run unhindered.
• If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The log file can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

[Adriano Cruz]

Dakeyras,

Forgive my lack of technical knowledge in IT but before running the script in OTL I wonder what this command will do, especially on "bancodobrasil.com.br" and "bb.com.br".

[Dakeyras]

Hi.

Forgive my lack of technical knowledge in IT but before running the script in OTL I wonder what this command will do, especially on "bancodobrasil.com.br" and "bb.com.br".

Not a problem and asking questions is absolutely fine far as I am concerned etc...

Basically no websites should be in the Trusted Zone of Internet Explorer at all in my humble opinion. The reason being the default security settings in the Trusted Zone are set way too low, which makes it unsafe in my book. Plus it should not be necessary for any remote server to have that level of access anyway. Plenty of good and reputable sites become compromised to host malware, advertising networks are renowned for serving malware which can appear on any site. The best policy is to remove anything from the Trusted Zone unless it's absolutely required in order for the site to work and you trust that site implicitly. Though the latter these days is becoming more and more fraught as compared to a good few years back unfortunately.

However the machine is your property after all and if you really want to keep those particular sites in the Trusted Zone, that is your decision and I will respect that and merely run the modified custom script below instead if you so wish.

Code:

:Commands
[CreateRestorePoint]

:OTL
IE - HKU\S-1-5-21-3550818114-746151525-2354952759-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:21320
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O9 - Extra 'Tools' menuitem : Console Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O13 - gopher Prefix: missing
[2013/10/09 11:21:41 | 000,000,314 | ---- | M] () -- C:\Windows\tasks\GlaryInitialize.job
@Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:0B4227B4

:Files
ipconfig /release /c
ipconfig /renew /c
ipconfig /flushdns /c
netsh winsock reset all /c
netsh int ip reset all /c
netsh advfirewall reset /c 
netsh advfirewall set allprofiles state on /c 

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\sdp]

:Commands
[EmptyTemp]

[Adriano Cruz]

Dakeyras,

Thank you for replying.
So I will run the former script.
And if necessary, later, I add the mentioned websites in the Trusted Zone again.

Soon, I send the results.

[Adriano Cruz]

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
HKU\S-1-5-21-3550818114-746151525-2354952759-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
File move failed. C:\Windows\System32\mctadmin.exe scheduled to be moved on reboot.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
File move failed. C:\Windows\System32\mctadmin.exe scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Low Rights\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\gopher|:gopher:// /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-3550818114-746151525-2354952759-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bancobrasil.com.br\www\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-3550818114-746151525-2354952759-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bancobrasil.com.br\www14\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-3550818114-746151525-2354952759-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bancobrasil.com.br\www2\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-3550818114-746151525-2354952759-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bb.com.br\www\ deleted successfully.
C:\Windows\Tasks\GlaryInitialize.job moved successfully.
ADS C:\ProgramData\Temp:0B4227B4 deleted successfully.
========== FILES ==========
< ipconfig /release /c >
Configura‡Æo de IP do Windows
Adaptador Ethernet ConexÆo local:
Sufixo DNS espec¡fico de conexÆo. . . . . . :
Endere‡o IPv6 de link local . . . . . . . . : fe80::18b5:2055:2bc2:4001%11
Gateway PadrÆo. . . . . . . . . . . . . . . :
Adaptador de t£nel isatap.MultilaserAP:
Estado da m¡dia. . . . . . . . . . . . . . : m¡dia desconectada
Sufixo DNS espec¡fico de conexÆo. . . . . . :
Adaptador de t£nel ConexÆo Local*:
Estado da m¡dia. . . . . . . . . . . . . . : m¡dia desconectada
Sufixo DNS espec¡fico de conexÆo. . . . . . :
C:\Program Files\OTL\cmd.bat deleted successfully.
C:\Program Files\OTL\cmd.txt deleted successfully.
< ipconfig /renew /c >
Configura‡Æo de IP do Windows
Adaptador Ethernet ConexÆo local:
Sufixo DNS espec¡fico de conexÆo. . . . . . : MultilaserAP
Endere‡o IPv6 de link local . . . . . . . . : fe80::18b5:2055:2bc2:4001%11
Endere‡o IPv4. . . . . . . . . . . . . . . : 192.168.0.100
M*scara de Sub-rede . . . . . . . . . . . . : 255.255.255.0
Gateway PadrÆo. . . . . . . . . . . . . . . : 192.168.0.1
Adaptador de t£nel isatap.MultilaserAP:
Estado da m¡dia. . . . . . . . . . . . . . : m¡dia desconectada
Sufixo DNS espec¡fico de conexÆo. . . . . . :
Adaptador de t£nel ConexÆo Local*:
Estado da m¡dia. . . . . . . . . . . . . . : m¡dia desconectada
Sufixo DNS espec¡fico de conexÆo. . . . . . :
C:\Program Files\OTL\cmd.bat deleted successfully.
C:\Program Files\OTL\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Configura‡Æo de IP do Windows
Libera‡Æo do Cache do DNS Resolver bem-sucedida.
C:\Program Files\OTL\cmd.bat deleted successfully.
C:\Program Files\OTL\cmd.txt deleted successfully.
< netsh winsock reset all /c >
Cat*logo Winsock redefinido com ˆxito.
Reinicie o computador para concluir a redefini‡Æo.
C:\Program Files\OTL\cmd.bat deleted successfully.
C:\Program Files\OTL\cmd.txt deleted successfully.
< netsh int ip reset all /c >
Redefinindo Global, OK!
Redefinindo Interface, OK!
Redefinindo Endere‡o Unicast, OK!
Reinicie o computador para concluir esta a‡Æo.
C:\Program Files\OTL\cmd.bat deleted successfully.
C:\Program Files\OTL\cmd.txt deleted successfully.
< netsh advfirewall reset /c >
Ok.
C:\Program Files\OTL\cmd.bat deleted successfully.
C:\Program Files\OTL\cmd.txt deleted successfully.
< netsh advfirewall set allprofiles state on /c >
Ok.
C:\Program Files\OTL\cmd.bat deleted successfully.
C:\Program Files\OTL\cmd.txt deleted successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\sdp\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: anaeano
->Temp folder emptied: 13704547 bytes
->Temporary Internet Files folder emptied: 359935 bytes
->Java cache emptied: 9291 bytes
->FireFox cache emptied: 53105431 bytes
->Flash cache emptied: 506 bytes

User: Convidado
->Temp folder emptied: 70291 bytes
->Temporary Internet Files folder emptied: 432436 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 582 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Todos os Usuários

User: Usuário Padrão
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 41902084 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 105,00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 10102013_182807

Files\Folders moved on Reboot...
File move failed. C:\Windows\System32\mctadmin.exe scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

[Adriano Cruz]

Well, now SB doest not detected that threat!!!!
I guess the work is done.

Feel free to make any comments more or leave some advice for the security of my PC.

I do thank you and Robybell for helping me.
Besides helpful, you were very polite too.

[Dakeyras]

Hi.

I do thank you and Robybell for helping me.
Besides helpful, you were very polite too.

On behalf of us both you are most welcome and thank you for the compliment also.

Well, now SB doest not detected that threat!!!!
I guess the work is done.

Feel free to make any comments more or leave some advice for the security of my PC.

Good and congratulations your computer appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Uninstall AdwCleaner:

• Right-click on AdwCleaner.exe and select Run as Administrator to start the program.
• Click on Uninstall >> Yes, this will remove the application and its log(s).

Clean up with OTL:

• Right-click OTL and select Run as Administrator to start the program.
• Close all other programs apart from OTL as this step will require a reboot.
• On the OTL main screen, depress the CleanUp button.
• Say Yes to the prompt and then allow the program to reboot your computer.

The above process should clean up and remove the vast majority of scanners used and logs created etc.

Any left over merely delete yourself and empty the Recycle Bin.

Reset the System Restore points:

Create a new, clean System Restore point:-

• Right click on Computer and select Properties >> System protection >> Create....
• Give this restore point a descriptive name and click Create.
• When the new restore point is created click on OK >> close the System Properties window.

Note: Do not clear infected/old System Restore points before creating a new System Restore point first!

Flush Old System Restore points:-

• Click on Start(Windows 7 Orb) >> All Programs >> Accessories >> System Tools >> right-click on Disk Cleanup and select Run as Administrator.
• Select the system drive, C >> OK.
• Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
• Click on Clean up system files >> Select the system drive, C >> OK.
• Now click on the More Options tab.
• Under:-

System Restore and Shadow Copies

• Click on Clean up... >> Delete >> OK >> Delete Files.

Now some advice for on-line safety:

The below articles are worth reading and bookmarking for future reference:-

Computer Security - a short guide to staying safer online

Securing Your Web Browser

So how did I get infected in the first place?

Next:

Any questions ? Feel free to ask, if not stay safe!

[Adriano Cruz]

Well, Dakeyras, I have no more questions for now.

Thank for the tips!

All the best!!

[Dakeyras]

Acknowledged and likewise.