GeekPolice Tech TutorialsLog in

 

Websteroid?!?!? Argh

Share

descriptionRe: Websteroid?!?!? Argh

more_horiz
looks good!
system-log.txt
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.16521

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 2.806000 GHz
Memory total: 6433136640, free: 3711668224

Downloaded database version: v2014.04.02.07
Downloaded database version: v2014.03.27.01
=======================================
Initializing...
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 38A9546D

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 1953314816

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1953505168-1953525168)...
Done!
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 12AE6B35

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 623872494

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 319422750720 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removal finished


and mbar-log-2014-04-02 (10-37-28).txt
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org

Database version: v2014.04.02.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16521
Left Coast :: MADDOW [administrator]

4/2/2014 10:37:28 AM
mbar-log-2014-04-02 (10-37-28).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 250041
Time elapsed: 7 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)


thanks!

descriptionRe: Websteroid?!?!? Argh

more_horiz
EEK! Whoa Nelly! Holy Smokes!
I just tried the Win Update, was told that it failed, and when i rebooted, now i have a black screen with a flashing cursor in the upper left corner. nothing else. I've tried a soft and hard reboot.
sort of panicking right now......

descriptionRe: Websteroid?!?!? Argh

more_horiz
Can you boot in Safe Mode?

descriptionRe: Websteroid?!?!? Argh

more_horiz
You mean, reboot and hit f8 a bunch? nope.

descriptionRe: Websteroid?!?!? Argh

more_horiz
wait. i just tried again and i can get to safe mode.
i'm trying REPAIR. stand bye

descriptionRe: Websteroid?!?!? Argh

more_horiz
phew!. i repaired and restarted then restarted again. seems like it might be fine. That was very scary.

but, recapping, it seems like there was no change from running the rootkit tool.
Does this mean that i'm good to go?

Last edited by buffm on 2nd April 2014, 6:55 pm; edited 1 time in total (Reason for editing : adding more information)

descriptionRe: Websteroid?!?!? Argh

more_horiz
it looks like everything is back to working order. thank you

descriptionRe: Websteroid?!?!? Argh

more_horiz
Just one more scan to make everything is gone, if you don't mind.
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.

  • Leave the check mark next to Remove found threats.

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

descriptionRe: Websteroid?!?!? Argh

more_horiz
C:\AdwCleaner\Quarantine\C\ProgramData\Websteroids\Websteroids.exe.vir a variant of MSIL/Adware.PullUpdate.D application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\Websteroids\WebsteroidsService.exe.vir a variant of MSIL/Adware.PullUpdate.A application cleaned by deleting - quarantined

and here is the text of the log.txt
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=5ecfbde286bfe54eb2d765d436ca0a01
# engine=17748
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-04-04 01:28:26
# local_time=2014-04-03 06:28:26 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 22925157 148118356 0 0
# scanned=185120
# found=2
# cleaned=2
# scan_time=6116
sh=2CDAC140B71911CFE8C9BB2CD7D383E11413A69A ft=1 fh=765497c44fa2b0ff vn="a variant of MSIL/Adware.PullUpdate.D application (cleaned by deleting - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\ProgramData\Websteroids\Websteroids.exe.vir"
sh=0B282431D560C9CB16696F6313A29B5B2853A366 ft=1 fh=868041b6d05f6e12 vn="a variant of MSIL/Adware.PullUpdate.A application (cleaned by deleting - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\ProgramData\Websteroids\WebsteroidsService.exe.vir"


The only question i have is that i did not select DELETE QUARANTINED FILES before i hit FINISH

thank you

descriptionRe: Websteroid?!?!? Argh

more_horiz
The only question i have is that i did not select DELETE QUARANTINED FILES before i hit FINISH

That's ok. They are in the AdwCleaner quarantine folder. You can remove them by cleaning the quarantine folder. We can do some cleanup and we'll be finished.
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
*************************************************
Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust . WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

descriptionRe: Websteroid?!?!? Argh

more_horiz
Excellent! thank you so much.

descriptionRe: Websteroid?!?!? Argh

more_horiz
You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.
Permissions in this forum:
You cannot reply to topics in this forum