Win32: Rontokbr-12 - Help!

???
Can someone please help me? I’m pretty new to the virus thing - but it seems I need a fast education. I installed the most recent free Avast download on my home computer last week. That same day, I installed the backup program GFI onto the same computer. After I backup up the whole computer onto my external hard drive, Avast went wild with error logs, and things flying into the virus chest, etc. I saved the error log that Avast puts into notepad for reference. Can anyone help me? I don’t even know where to start!
Also, it seems that an entire folder from my flash drive disappeared. Can this virus move folders around? The folder is not in the virus chest, either. I see that this virus is adding files with .exe extensions. Do you know where I can find the folder, or is it gone?

Thank you!

Welcome to the forum! :slight_smile:
Please read here: http://forum.avast.com/index.php?topic=43485.0
asyn

Thanks for trying to point me in the right direction, but you’re giving me too much credit - I don’t understand half of what that thread is talking about. Can you do a step by step with me?

Anybody else have any pointers?

Thank you!

Hello,

I have sent a pm to one of my forum friends. He is a trained man. He will help you out. Make sure you obey him. He will post shortly.

Thanks
nmb

No problem… :wink:
Step by step follows shortly, as nmb posted…
Good luck…! :slight_smile:
asyn

Here we go

http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[
] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
[] IAT/EAT
[
] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Please copy and paste the report into your Post.

THEN

Download OTL to your Desktop

[]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[
]Under the Custom Scan box paste this in


netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles
%systemroot%\System32\config*.sav
%systemroot%\system32\drivers*.sys /90

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs as an attachment

Ok - essexboy - thank you for your very detailed directions.
After I ran the GMER, I tried to open the OTL. My computer seemed to freeze up, and I couldn’t get anything to work. I tried to view the task manager, but even that didn’t open. I finally opted to shut down, and it seemed that nothing was happening. Eventually, the “end Program” dialog box popped up, but I didn’t have any of those programs running! I’m not sure what that was about.
When I restarted the computer, I was able to open OTL, and do what you said. However, the scan took very long - I don’t know why. I am including all the logs that you asked to see. Could it be because I shut down after the GMER, before the OTL? Or could it be that I because I backed up the whole computer recently, it was scanning every single file that was recently accessed…

Please keep me updated!

I am attaching the ARK file, and will post the other two separately - the files are too large to put in one post.

Thanks again!

Here are the other two from OTL.

Hi I can see an MBR rootkit

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
[2002/07/09 17:15:09 | 000,277,802 | ---- | M] () -- C:\thejnet1718.exe
[2002/05/13 08:49:45 | 000,000,015 | ---- | M] () -- C:\tt.exe
[1 C:\WINNT\system32\*.tmp files -> C:\WINNT\system32\*.tmp -> ]

:Files
C:\WINNT\TEMP\mc*.tmp 

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

.
THEN

Download this tool to the to C:\WINDOWS folder. (It is important that it is saved to the C:\WINDOWS folder, and not to your Desktop.)

Then, go to Start >> Run >> copy/paste below >> Press ENTER

mbr -f

Once it has run (it may ask for a reboot) and it may only take seconds

Then, go to Start >> Run >> copy/paste below >> Press ENTER

mbr -t

Then a logfile (mbr.log) will be created on your screen (find it at C:\WINDOWS\mbr.log).

Just for notification - I don’t have internet access on my home computer, so I am communicating with you via work. That’s why there is such a lapse in the time it takes me to respond - I download the programs, and can only work on the fix in the evenings.
Yesterday, I accidentally did not download the tool (MBR) to bring home, so I only followed the first part of the instructions - the OTL scan. The log is attached. No “extra” log was created this time. I will follow the second half of the directions tonight, and update you tomorrow.

Also, just wondering. Everything done up until the most recent scan was done with a USB flash drive connected to the computer. The 4/21 instructions that I followed were done without that flash drive installed. my question is if that is a problem or not. I don’t know if there is a bug on the flash drive, or if all the cleanup that you are directing is even checking the flash drives. Do I have to be afraid to use the flash drive now, because it is one step behing in the cleanup process?

Thank you for all your help!

Right lets clear the USB drive just in case

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

[*] Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
[] The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
[
] Wait until it has finished scanning and then exit the program.
[*] Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don’t delete this folder…it will help protect your drives from future infection.

Uh… Sorry to sound totally ignorant, but there is no Windows folder in my C drive. Did you mean for me to create one? So I did that, and put the tool in there, but when I did start/run, and I put in what you said to post there, it said that it isn’t found. Don’t I need to be looking for the program when I go to start/run? There isn’t a folder called WBR -t - so it isn’t finding it!
If I run the program just by double clicking it, it does a really fast flash on the screen and then a small report, but I don’t think that’s what you meant.

I probably won’t respond until Monday, but please don’t drop this thread!!!

Thanks again…

Sorry for you it will be C:\winnt I did not notice that first time round - so follow the instructions as previous but for windows read winnt

When I try to run the MBR tool, by search, run, it cannot fiind the file. What am I doing wrong? I only have one application downloaded as a tool - should there have been more than that? If not, how could it run as two separate files, mbr -f and mbr -t.

also, I ran the flash disinfectant on all our flash drives (3 in all). Afterwards, I checked the flash drive that had a problem beforehand, and it still showed an infected folder within every folder. It copied the name of the folder and made a subfolder with an exe extension. When I right click and do a scan just on that folder, avast picks up a threat. Could it be that it is a false positive? Or could this rootkit be reallly stubborn?

Also, once this is all done, will I be able to get back the 2 folders that seem to have disappeared?

Thank you!

The -t and -f are two commands for the mbr programme to run

Could you confirm that mbr exe is in your winnt folder and that you are using the run command with the stated switches (-t, -f) i.e mbr -f

I am going to search, run, then I browse and click on the program. It inserts it into the space for the file. Do I then do \wbr -f?

sorry for the incessant questions…

Ah OK I am with you now

You should see something similar to the screen shot type in to the run box mbr -f as shown

Okay - I left work before you responded yesterday, and I ran it this way: c:\winnt\mbr.exe\ -t. It seemed to work. I am attaching the log it produced. When I did it the way you indicated, it said file not found - and I did ascertain that the program was in WINNT.

Thank you!

Ok that confirms that the MBR is OK now - what other problems do you have. I am intrigued by the way MBR worked on your system as it is totally different to the way it runs on mine

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Can I put my flash drives in and run this scan on all drives?