Mebroot/Torpig Infection?

Discussion in 'Malware Help (A Specialist Will Reply)' started by zamorazeke, Apr 16, 2010.

  1. zamorazeke

    zamorazeke Corporal

    I have been cut off from Internet connection and informed by my ISP (QUEST) that our (secure) LAN is infected with Mebroot/Torpig, detected by Internet connections made by our network. After thinking I had cleared any problems I was reconnected to the Internet, but a week later was cut off and informed again that I was infected. Because we have a desktop hardwired to the modem/router and a laptop on the LAN, I assume this will be a two-stage, two-thread process to clean and clear both machines(?). I have run the full sequence of requested scans on the desktop and would appreciate some expert help in cleaning and repairing our computers...the desktop first. I have attached the first 4 logs and the final will follow in the next post.

    Additional information:
    1. I am running the latest version of Windows XP Home edition with all updates and service patches on a Dell Dimension 8200 desktop with one gigabyte of RAM memory. My primary AntiVirus package is Zone Alarm with automatic updates.
    2. Scans with antivirus applications and online scans found and removed some malware, none of which was labeled Mebroot/Torpig or Sinowal.
     

    Attached Files:

    zamorazeke, Apr 16, 2010
    #1
  2. zamorazeke

    zamorazeke Corporal

    Attached is the final log. Thank you for any help you can give me in clearing this malware from our desktop computer (and later our laptop) so our LAN can once again be cleared to access the Internet.
     

    Attached Files:

    zamorazeke, Apr 16, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do you know what these are:
    c:\program files\FB42.EXE
    c:\program files\FB21.EXE
    c:\program files\FB41.EXE
    If not, delete them.

    Also, use windows explorer to find and delete:
    C:\WINDOWS\system32\f9t.dat
    C:\WINDOWS\temp\sdk8

    Reboot, run CCleaner. Make sure your internet temp files are cleaned out. You can run ATF Cleaner by Atribune.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 16, 2010
    #3
  4. zamorazeke

    zamorazeke Corporal

    Thanks for your help and direction, Tim. By the way, I forgot to mention that I have a Maxtor external hard drive designated as "G" (backup and synchro). I hope this doesn't complicate things too much.

    1. I deleted FB42.EXE, FB21.EXE and FB41.EXE.
    2. Also, I deleted C:\WINDOWS\system32\f9t.dat.
    3. However, I could not delete C:\WINDOWS\temp\sdk8. I got an "Error Deleting File or Folder," message, the body of which indicates "Cannot delete 00000001_events.dat: Access is denied." "Make sure the disk is not full or write-protected and that the file is not currently in use."
    4. Finally, I ran the C:\MGtools\GetLogs.bat file, and I am attaching the MGlogs.zip file.

    Once again, thanks for your help in getting our computer(s) clean. As to how well things are working now, this infection seems to have operated in stealth mode from our viewpoint. It is hard to determine how much has changed because our ISP is the one who monitors our LAN on the Internet.
     

    Attached Files:

    Last edited: Apr 17, 2010
    zamorazeke, Apr 17, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do you need to call your ISP for them to allow you back on?

    Let's do a few things to be sure you are clean.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
File::
C:\WINDOWS\temp\av1.tmp
C:\WINDOWS\temp\sdk8
C:\WINDOWS\temp\iswift.dat
C:\WINDOWS\temp\sfdb.dat
Folder::
C:\WINDOWS\temp\sdk8
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"PendingFileRenameOperations"=""
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now:
    1. Insert the Windows XP CD-ROM into the CD-ROM drive.
    2. Restart the computer from the CD-ROM drive.
    3. Press R to start the Recovery Console when the "Welcome to Setup" screen appears.
    4. Select the installation that you want to access from the Recovery Console.
    5. Enter the administrator password and press Enter.
    6. Type the following command and press Enter:
    fixmbr
    7. Following the onscreen instructions to restore the Master Boot Record.
    8. Type exit
    9. Press Enter. The computer will now restart automatically.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Apr 17, 2010
    #5
  6. zamorazeke

    zamorazeke Corporal

    Hi, Tim. Thanks for your continued help. I have accomplished the following:

    1. Completed the Combofix assignment.
    2. Attempted to fix the master boot record; however,

    a. When starting Recovery Console after starting the computer from the CD-ROM drive, I wasn't asked for an administrator password after selecting the one installation I was given to access...C:\Windows>

    b. So I typed the fixmbr command as you directed and the result was a screen that said: *** Caution *** This computer appears to have a non-standard or invalid boot record...FIXMBR may damage you partition table if you proceed...This could cause all the partitions on the current hard disk to become inaccessible...If you are not having problems accessing your drive, do not continue...Are you sure you want to write a new MBR?

    I wasn't certain that I was in the right "space," so I am sending this to you to ask for confirmation that I should proceed, or not. Sorry, I am not familiar with the procedure in your directions, and I didn't want to do the wrong thing.

    All I need is your okay to continue as before or give me clarification as to where I went wrong.

    Thanks
     
    zamorazeke, Apr 18, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Ah, yes. You have a Dell. In that case, just run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 19, 2010
    #7
  8. zamorazeke

    zamorazeke Corporal

    Thanks again, Tim.

    The computer seems to be running better...possibly a little faster, hopefully without stealth processes (MBR) going on.

    Attached are the files you specified. Hope they show you what you want to see.

    I am ready for further instructions. :)
     

    Attached Files:

    zamorazeke, Apr 20, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Nope, now it is not showing any MBR type infection. The only advice I can give at this point is to clear out all your temp internet files ( c:\windows\Internet Logs\)

    You can run ATF Cleaner by Atribune.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Apr 20, 2010
    #9
  10. zamorazeke

    zamorazeke Corporal

    Thank you heaps, Tim. :)

    I have accomplished most of the things you advised in your last post, and I am continuing to go down the list.

    Also, I'm doing the necessary tasks on the laptop in preparation to starting another thread and posting preliminary logs to seek help in determining whether it is infected with the same thing(s) you just exorcised.

    Once again, you have our gratitude.
     
    zamorazeke, Apr 21, 2010
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing. :)
     
    TimW, Apr 21, 2010
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds