Zeus/MBR

Sunday afternoon while attempting to log into my online banking page, I was redirected to another page asking for my debit/credit card information. I later tried logging into Ebay and encountered a similar redirect. I ran the 'Read Me' procedures with one glitch (see below,) and attached are the relevant logs.

A few notes: first, when I ran the CCleaner, I did not uncheck the items in the 'Applications' tab. Straight up was in too much of a hurry to get going. Second, after I ran CCleaner, I went back to Ebay, tried to log in, and was not redirected. I wasn't convinced, and continued through the checklist. As a reward, the redirect is back. Third, the RRlog is still showing an MBR infection. Lastly, this machine is pushing 6 years, and I am on the fence over whether I should just build a new one. I suppose for my own computer education this will probably be a good experience for me. While I have been tempted to try suggested fixes in other folks posts, I would think that each situation might need different remedies.

Thanks in advance for your time and help.

 

And the final MG file

 

Welcome to MajorGeeks!


Download the MBR Rootkit Detector to your desktop.


Go to Start > Run then copy and paste the following red text into the Open field then click OK:

"%userprofile%\desktop\mbr.exe" -f

Next, double click on the mbr.exe file andattach the contents of the new mbr.log




Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After clicking Fix checked, exit HijackThis.



I highly suggest uninstalling the following software. They are either dangerous or untrusted.

• Advanced Registry Optimizer
• STOPzilla Toolbar
• STOPzilla

Now run a new RootRepeal scan and attach that log along with the MBR Rootkit Detector log.

 

Thanks for the welcome, wish it could have been under better circumstances.

Logs attached...mbr bug apparently still there.

I didn't see a choice, but regarding the Hijack This! does it matter that I predominantly run Firefox over IE?

Stopzilla and ARO removed as suggested.

 

Double-click on RootRepeal.exe to rerun it again.

• Click on the Files tab, then click the Scan button.
• In the Select Drives, dialog Please select drives to scan: select your primary system drive (usually [noparse]C:[/noparse]), then click OK.
• When the scan has completed, a list of files will be generated in the RootRepeal window.
• Locate and right-click the MBR rootkit file: Path: Volume C:\ Status: MBR Rootkit Detected!
• This time choose option #1- restore and reboot immediately.

Now run RootRepeal again and attach the new log.

 

stubborn thing

question: when I unzip the RR, there isn't an option to save it to my desktop, so I've been unzipping it each time from the XP cleaning list. what did I miss?

 

Do you still have GMER on your desktop? Try using the MBR Removal Tool from a command prompt before we move on to the more detailed method.

* Make sure mbr.exe is placed in the root directory, usually C:\ <- (Important!)
* Then go to Start > Run and in the Open dialog box, type: cmd then click OK
* The command prompt needs to be at the root directory C:\>_ To do that, type: cd \ then press Enter on your keyboard.
* At the command prompt C:\>_ type: mbr.exe -f (make sure you have a space between mbr.exe and the -f) then press Enter on your keyboard.
* At the command prompt type exit then press Enter on your keyboard.

Restart the computer.

Now run GMER normally and attach the log it creates.

* Doubleclick mbr.exe and follow prompts.
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Attach that log file to your next reply.

 

I don't think I ever downloaded GMER....that's on the 'Alternative Scans' page correct? Is the MBR Removal Tool part of it?

 

Yes you downloaded it. I called it the MBR Rootkit Detector. Download it here if needed. MBR Rootkit Detector

 

Ok, I moved mbr.exe from my desktop to C, executed the instructions and then ran it (normally) from C instead of moving it back to my desktop. Attached is the new log it created on C.

*Edit*

The upload manager won't allow me to upload the file; it says 'You have already attached this file in thread : Zeus/MBR.' I tried renaming it to mbr2.log and got the same message. I'll copy paste it in:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Sorry this is taking so long to reply, I am turning off Norton and the firewall each time I run this stuff, then switching it back on before I open Firefox. Whenever I have to reboot, Firefox takes FOREVER to load.

 

That's better.

How is the computer running now?

 

About the same. Once everything gets loaded up, speed isn't really an issue. I was more concerned (maybe falsely) about the 'Rootkit detected!' message RR was returning.

Isn't that the second mbr.log basically the same we got the first time around? Should I run RR again?

If not, what are my next steps?

 

For grins, I went to my banks website....and was redirected to a page asking for my debit/check card information a.k.a square one.

:sigh:

is there a reformat in my future?

 

Download Dr.Web CureIt and save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start
• An information notice will appear, click OK.
• This starts a short scan that will scan the files currently running in memory.
• If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
• If or when something is found, click the Yes button when it asks you if you want to cure it.

• Once the short scan has finished, Click Settings > Change Settings
• Under the Scanning tab UNcheck Heuristic analysis and click OK
• Back at the main window, select the Complete scan button and then click the Green Arrow http://i154.photobucket.com/albums/s258/evilfantasy69/drweb.jpg Start Scanning button on the right and the scan will start.
• Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
• Save the DrWeb.csv report to your Desktop.
• Exit Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad. Then save it to your desktop as a Notepad file.

* Attach that log in the next reply.

Also let me know how the computer is running now.

 

Holy Mother of God! The second scan without heuristics takes forever! I imagine it's finished by now, but nk I left the box about midnight (got tired of waiting,) checked it before I left for work this AM, and it still had not finished! Is that normal?

As an intermediate update, it did find the MBR bug (maos.boot or something like that) and a trojan variant on an OLD, shall we say, discretionary video file. I'll post the log post-second scan late this afternoon.

 

Evil,

I came home from work and at some point my computer rebooted during/after the Cure It run. Upon login, I got a "Windows has recovered from a serious error" dialog box. I ran another complete scan with the heuristics unchecked, starting around 5pm CST, and by 10pm, it still had a ways to go.

Dogs woke me up at 1AM and I came downstairs to save the log to find that my machine had rebooted again with the same message.

I know that on the second run, Cure It had found a trojan file with Documents and Settings\Norton in the named path, as well as reporting MGTools as an item as well. It had asked me to quarantine the trojan file, but continued running past the MGTools notice.

Unless I hear otherwise from you, I will kick it off again in the AM and try to catch it before it reboots (only a half day at work tomorrow.) I did login to my banks website successfully (no redirect) however.

Thoughts :confused

 

Let's go to another scanner. This one should take around an hour.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log



Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Attach the new C:\MGlogs.zip file that will be created.

 

ESET did not find anything to log apparently.

Attached is the MG log. Any time to explain what that is showing exactly?

 

There is a new version of MGtools so please download the new version and attach the MGlogs.zip. You can download the new version here. Using MGtools

I'm really not seeing anything that indicates the infection is still present. How is the computer running now?

 

Box seems to be running much more smoothly, I think the Russian tool did the trick. Wish it were a bit faster, but don't look a gift horse in the mouth....

Log attached.

Next steps?

 

In need the MGlogs.zip file. Are you seeing it?

 

errrr...

'oops' is all I got...sorry

 

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your desktop

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"Viewpoint Manager Service"=-

Locate fixme.reg on your desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the desktop.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

Got the 'it worked' dialog box.

 

Evil, thank you very much for all your help :highfive

 

Your welcome and safe surfing.