Jump to content

Bredolab Trojan Removal Problems


Recommended Posts

I was instructed to follow a set of instructions to scan my computer for Malware. I first downloaded and executed the Malwarebytes' Anti_Malware. The scan detected no corrupt files. The log file is attached. I continued by downloading the Defogger and disabled the CD Emulation drivers. The program did not request to reboot the computer as the instructions said it would, so I did the reboot manually. I started having problems in that it did not reboot properly at first. I received a number of "Invalid system disk" errors before the PC finally booted.

I continued by running DDS. It completed and created the two text files which are attached. I then tried to execute the GMER Rootkit Scanner. I was able to start it, and it ran for about 30 minutes. The computer then rebooted on its own. I tried to run it again, and this the PC froze with the following error:

stop: c000021a: Fatal System Error

The windows subsystem process terminated unexpectedly with a status of 0xc000005 {0xc001b0014 0x0340e064}

The system has been shut down.

I turned off the computer at that point, and haven't turned it back on since this happened last night.

I am not sure what to do next. Please advise.

Thank you.

mbam_log_2010_03_28__14_40_00_.txt

DDS.txt

Attach.txt

Link to post
Share on other sites

Hello mark57! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install any software or hardware, while work on.

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

Link to post
Share on other sites

I ran the ComboFix program successfully. Please analyze the log file. The only change from the suggested process was that two programs started up after the PC rebooted (Yahoo Messenger and another Yahoo website which I immediately closed). I still have the CD Emulation drivers disabled from Defogger.

Please advise if I need to do anything else.

Thank you!

Mark

log.txt

Link to post
Share on other sites

Hi Mark!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Link to post
Share on other sites

Hi Borislav,

I did exactly as you requested. I downloaded the GMER program and ran it. It ran for a few hours at least. I left the computer to take care of some other things. When I returned, I discovered that the computer halted again with a similar error to what happened the last time I ran GMER:

STOP: C000021a {Fatel System Error}

The windows system process terminated unexpectedly with a status of 0xc0000005 (0x001bofef 0x0054e064)

The system has been shut down.

The instructions say to run in safe mode if any problems occur. Is that what you want me to do next?

If so, please remind me how to get into safe mode.

Thank you!

Mark

Link to post
Share on other sites

Don't worry! We'll try another way:

Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

Link to post
Share on other sites

Thanks Mark! :D

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Your database version is 3930 , but the current is 3973 , so please update it:

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Step 1:

Please uninstall the following application:

Adobe Acrobat 4.0

Adobe Reader 9.2

After finish our work, please download and install the latest verison of Adobe Reader from:

http://www.adobe.com

Step 2:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Let me know how are things running now.

Link to post
Share on other sites

Borislav,

I was able to remove Adobe Acrobat 4.0 except for some subkeys:

Unable to delete all subkeys under HKEY_CLASSES_ROUT\SLSID\{CA8A9780_2801)_11CF_A24D_444553540000}

Unable to delete registry values "HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\User Trusted External Application\C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe

I removed all Java installed files and directories as requested. Attached is the log from JavaRe.

I would think that the newest version of Java needs to be installed next, but please let me know what to do now. Also, how do I remove the subkeys and registry entry shown above?

Thank you!

Mark

Link to post
Share on other sites

Mark, Before you edit the registry, let's do a backup.

Step 1:

Backing up your registry:

  1. Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  2. Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  3. Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  4. Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  5. Make sure that at least the first two check boxes are ticked
  6. Press OK
  7. Press YES to create the folder.

Step 2:

How to manually remove Adobe Acrobat see here:

http://support.adobe.com/devsup/devsup.nsf/docs/52390.htm

Please remember, only remove don't install anything else.

Link to post
Share on other sites

Borislav,

Sorry I haven't responded in a number of days. I have been busy with some other work around the house.

Anyway, I was able to backup the registry. However, I did not understand what I was supposed to do to remove the entries from the Registry for Adobe 4.0 I printed the instructions you gave me a link to, but when I read it, it mentioned something about the registry but no detailed instructions. I know there is a REGEDIT program, but don't remember how to use it.

Please advise.

Thanks,

Mark

Link to post
Share on other sites

Since I didn't think I was done with the disinfection process, I haven't been using this computer. It has been running without being connected to the internet since the McAfee real time anti-virus scanning and firewall are disabled. In addition, I had run another tool that had disabled some drivers that were never restored.

Should I re-enable McAfee and start having my wife use this computer? What tests would you suggest I do to put the computer through verfiy that the infection has been removed?

Thanks,

Mark

Link to post
Share on other sites

Turn on the internet and antivirus program. At the outset let antivirus scan and tell me if it finds something. Then browse through the internet and be careful about any problems when surfing. Monitor and how does your computer, for errors and unusual things.

Link to post
Share on other sites

Hi!

I ran the McAfee anti-virus scan and it detected nine viruses and trojans. It quarantined the nine items. I will give you a high level list:

1. Virus: Koobface.worm

2. Trojan: IMAPIOKOSYS.VIR

3. Trojan: CAPCHA.DLL.VIR

4. Trojan: BILL103.EXE

5. Trojan: RDR_1268335333.EXE.VIR

6. Virus: RDR_1268335005.EXE.VIR

7. Trojan: RDR_1268323561.EXE.VIR

8. Virus: RDR_1268323242.EXE.VIR

9. Virus: RDR_1268263698.EXE.VIR

I ran this scan while I was at work. During that time, I did not have the internet connected. Now I do and so far so good.

Mark

Link to post
Share on other sites

Borislav,

I left the computer running last night after going onto some web pages without experiencing any problems. I did not close those pages. Overnight, it appears that the PC rebooted itself. The computer was at the login screen when I looked this morning before going to work. I logged on again, and was able to go to the internet without any problems. I will see what is going on when I get home later today.

I am not sure why it rebooted. I saw last night that it was requesting that Windows updates be launched, but I did not give permission to do so. Could the updates have been done and the computer automatically rebooted to allow those changes to take effect? I hope that is what happened but am not sure.

Mark

Link to post
Share on other sites

Yes, the Windows update may cause it, Mark. Don't worry! :)

I think we're done! :)

Some final steps:

Step 1:

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2:

Please manually delete DDS ; GMER ; RootRepeal ; JavaRa ;

Step 3:

Some malware preventions:

http://miekiemoes.blogspot.com/2008/02/how...nt-malware.html

Safe surfing! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.