Hi I'm new, and I have a bad problem with a rootkit please help

Hi all, I’m new here so hello to everyone. My issue is this, when I booted up my laptop for school today, I was promted with a pop-up saying " Nata.exe" has stopped responding. I asked my boyfriend what it was and it’s either a nasty trojin or a password stealer for banking info. When I home from school I did a full scan and Avast found the problem it’s this. C:\windows\System32\sbbd.exe Serverity: high, Status: Threat: Rootkit:hidden file. When I went to delete it I did the restart like Avast wanted. When my laptop booted up and I went to avast again I got an error message saying, " Access is Denied. (5)" So I tried to move it to the chest and I still got an error message saying, " Error: The request is not supported (50)" and from there Avast freezes… I don’t know what to do, I used to have mal-ware bytes but that expired and I can’t afford the real thing, I got another mal-ware bytes related program soo… Please help.

and thank you to all who reads this and for any helpful advice.

-kyu

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

@ Asyn, I’ve downloaded the rougekiller thing, followed the directions as well when it was doing the delete/ fix shortcuts part of it, it crashed. Though I still have the report, could I just put the report on here or do I gotta restart the whole scan again and go from step one?

I didn’t tell you to do so, please provide the basic logs first…!!

I’m sorry this is taking so long, this is something that’s never really happened to me before. :‘(. For the log, I don’t know if you mean the avast one that says the name and such or if you mean this. I tried to do a print screen of what the avast log said but it’s not working. And if this isn’t the one you’re talking about then, below this one is the rouge-killer one I may have to do this in seperate posts I keep on getting an error message when I post so here is the first bit of the avast log. Once again, I’m sorry. :’(

Here is something I found in the logging data, I don’t know if this is what you mean. I’ll keep looking though.
11/6/2012 12:15:11 AM SQL command ‘PRAGMA count_changes = 1;PRAGMA full_column_names = 0;PRAGMA synchronous = OFF;PRAGMA encoding = “UTF-8”;PRAGMA temp_store = MEMORY;’ failed, error 5 (database is locked)
11/6/2012 12:16:18 AM SQL command ‘INSERT OR REPLACE INTO Paths (Time, Path, ShortHash, LongHash) VALUES (1352189762, ?, 4149321948, ?);’ failed, error 10 (disk I/O error)
11/6/2012 12:16:18 AM SQL command ‘SELECT ShortHash, LongHash FROM Paths WHERE Path = ? ORDER BY Time DESC;’ failed, error 14 (unable to open database file)
11/6/2012 12:16:26 AM SQL command ‘SELECT ShortHash, LongHash FROM Paths WHERE Path = ? ORDER BY Time DESC;’ failed, error 14 (unable to open database file)
11/6/2012 12:19:38 AM SQL command ‘INSERT OR REPLACE INTO Paths (Time, Path, ShortHash, LongHash) VALUES (1352189961, ?, 4149321948, ?);’ failed, error 10 (disk I/O error)
11/6/2012 12:19:38 AM SQL command ‘SELECT ShortHash, LongHash FROM Paths WHERE Path = ? ORDER BY Time DESC;’ failed, error 14 (unable to open database file)
11/6/2012 12:30:49 AM SQL command ‘SELECT Id, Type, TaskGuid, TestedFiles, TestedFolders, TestedData, InfectedFiles, Started, RunTime, Status, Error, Percent, LastScanned, Flags FROM ScanSession WHERE ((TaskGuid = ?));’ failed, error 5 (database is locked)

For the log, I don't know if you mean the avast one that says the name and such or if you mean this.
[b]ALL [/b] info is in Asyns first post....read it again and click the link he gave

See: Reply #1…!!!
We need the logs from: AdwCleaner, MBAM, OTL and aswMBR

Edit: Thanks Pondus. :slight_smile:

Ok ok I’m sorry, I’ll download them and get the logs from them. I’m sorry everyone. :cry:

No problem. :wink:

Ok, I have them downloaded and doing scans, since it is 3:14am where I live would it be ok if I post the logs when I wake up later? I have one log right now the rouge killer one. I can post that one up right now.

Sure, post your logs whenever you’re ready.

'PRAGMA is a rootkit, the logs should show me where it is hiding

Ok, here is the log from Mal-ware bytes. Also, I did the OLT scan thing but I got an error message saying " Out of Memory." and now I think it’s stuck on scanning firefox files. Should I just re-do it?

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.06.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Kyu :: KYU-PC [administrator]

11/6/2012 10:56:36 AM
mbam-log-2012-11-06 (10-56-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 220407
Time elapsed: 12 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Yes re-run it but do it from safe mode if possible

Ok, I will. Thank you everyone for being patient and kind to me. It really helps a lot. :slight_smile:

Not a problem, I understand how scary this must be

It is very scary and I must thank you all once again for your kindness. :slight_smile: I’m running safe mode right now and I have the log for the adware thing, though when I try and post it, it says it’s to big so I’m gonna try to cut the size of it a little and send it again. Also I’m still encountering the " No Memory." error when I try and run the OTL. :frowning:

Until I’m able to get the right size down, here is the MBR file.

OK I will jump a stage now as OTL does not want to play

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I’ll get started on the download, right away. Before I launch it and let it run its course, should I continue to be in safe mode or can I go back to running my laptop in the normal way?