BleepingComputer.com: Windows XP Master Boot Record Virus

I was using the Internet on my wife’s Dell Inspiron 6000 laptop, running Windows XP, and Avira Antivir Personal antivirus software (up to date), when I picked up something that lead to the “System Tool” virus (Trojan?) installing itself (complete with a terrifying new desktop and inviting me to pay $60 to get rid of all the viruses and Trojans it had found!).

I realised, too late, that the Trojan had emulated my Avira Antivir software’s “Malware Detected” dialogue box, upon which I had clicked and thereby installed the Trojan. I tried to shut down via the Start button, but the dialogues did not look correct so I crashed out by holding down the power button.

Re-booting the laptop is now impossible. The BIOS runs normally (and I’m comfortable ferreting around in there), but anything after that: completely blank screen, no disk activity, nothing (so the info posted here is interesting but not my situation, I can’t get the laptop to do anything from starting normally).

I downloaded Avira Antivir rescue disk software, burnt the CD (on my Vista machine, which I am currently using to post this), which runs in Linux, and I am able to boot to this from the laptop’s CD drive. Running a boot sector scan shows that the BOO/TDss.A virus is there, BUT the program won’t let me remove it.

I’ve played around with the Avira Antivir rescue disk software, which also includes Midnight Commander (a file manager), but can’t get much further than looking (I’ve copied AUTOEXEC.BAT, CONFIG.SYS, and IO.SYS from what looks like a Dell partition on the hard disk, to the C:\ drive, but this still hasn’t let me boot into Windows).

Dell, bless them, do not provide a Windows XP recovery CD (just a CD-shaped piece of paper telling me to look on the C:\ drive for recovery information and an instruction manual, which is not much use if I can’t get into Windows to read it!). I’ve downloaded and burnt a Windows XP Boot CD, which when run on the laptop gives me the error message “hal.dll missing or corrupt”, which I’ve read is likely to be a consequence of the BOOT.INI being corrupted, which I assume is something to do with the Master Boot Record.

Ideally, I’d like to recover the data on the laptop (needless to say, my wife hadn’t backed up anything) but at the very least we’d like to get the laptop back working, because at the moment it’s just a useless piece of junk, so a fresh install of Windows isn’t beyond question (but I haven’t got the means to do this!).

I’ve had good look round this website, but can’t see anything about this particular problem (although, as my wife says so often, I need to look without “Man Eyes”, so it’s probably been dealt with here somewhere). Any help gratefully received, and hopefully before my wife gives up on her Dell laptop entirely and buys herself a Macbook…

This is what the Avira Antivir website says about this Trojan:
Virus: BOO/TDss.A
Date discovered: 14/01/2011
Type: Trojan
In the wild: Yes
Reported Infections: Low to medium
Distribution Potential: Low
Damage Potential: Medium
Static file: Yes
File size: 512 Bytes
MD5 checksum: 317d3910dd859c49feeb3ab9c6594fd6
IVDF version: 7.11.01.144 - Friday, January 14, 2011

General Method of propagation:
• No own spreading routine

Aliases:
• Kaspersky: Rootkit.Win32.TDSS.mbr
• F-Secure: Rootkit.Win32.TDSS.mbr
• Sophos: Troj/TdlMbr-B
• Bitdefender: Rootkit.MBR.TDSS.A
• Avast: Alureon-C@mbr
• Microsoft: Trojan:DOS/Alureon.A
• GData: Rootkit.MBR.TDSS.A
• DrWeb: BackDoor.Tdss.4005
• Fortinet: BOOT/TDSS.A
• Ikarus: Rootkit.Win32.TDSS

EDIT:
Just seen that right after the Dell BIOS screen, and before the screen goes blank, this message is displayed very briefly:

Loading PBR 2... Done

Is this significant?

This post has been edited by Johnny Blue: 03 March 2011 - 08:33 AM

I have asked someone to look at this and i've moved you to the Am Infected forum.

Thanks. Apologies for posting in the wrong forum (it's those Man Eyes again!).

Hi,

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe
  
• A new folder will appear on the desktop.
  
• Open the GETxPUD folder and click on the get&burn.bat
  
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  
• Click on Start and follow the prompts to burn the image to a CD.
  
• Next download driver.sh to your USB drive
  
• Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  
• Remove the USB & CD and insert them in the sick computer
  
• Boot the Sick computer with the CD you just burned
  
• The computer must be set to boot from the CD
  
• In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  
• Follow the prompts
  
• A Welcome to xPUD screen will appear
  
• Press File
  
• Expand mnt
  
• sda1,2...usually corresponds to your HDD
  
• sdb1 is likely your USB
  
• Click on the folder that represents your USB drive (sdb1 ?)
  
• Confirm that you see driver.sh that you downloaded there
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type bash driver.sh
  
• Press Enter
  
• After it has finished a report will be located on your USB drive named report.txt
  
• Then type bash driver.sh -af
  
• Press Enter
  
• You will be prompted to input a filename.
  
• Type the following:
  
  
  Winlogon.exe
  
  
• Press Enter
  
• If successful, the script will search for this file.
  
• After it has completed the search enter the next file to be searched
  
• Type the following:
  
  
  explorer.exe
  
  
• Press Enter
  
• After it has completed the search enter the next file to be searched
  
• Type the following:
  
  
  Userinit.exe
  
  
• Press Enter
  
• After the search is completed type Exit and press Enter.
  
• After it has finished a report will be located in the USB drive as filefind.txt
  
• While still in the Open Terminal, type bash query.sh
  
• Press Enter
  
• After it has finished a report will be located in the USB drive as RegReport.txt
  
• Then type dd if=/dev/sda of=mbr.bin bs=512 count=1
  
  
  
  Leave a space among the following Statements:
  
  dd is the executable application used to create the backup
  if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
  of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
  bs=512 is the number of bytes in the backup
  count=1 says to backup just 1 sector
  
  
  It is extremely important that the if and of statements are correctly entered.
  
  
• Press Enter
  
• After it has finished a report will be located in the USB drive as mbr.bin
  
• Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

Hello, just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logss forum where it will stay.

Please remember to click the Watch Topic button at the top right so you do not miss any replies now that you were moved.

You have excellent help here with JSntgRvr.

Many thanks to you both!

One problem: everything went well (love that xPUD program! I'll have to convert to Linux one day!) until I put the USB into my desktop. The Avira dialogue box came up "Guard: Malware found" "BOO/TDss.A found in mbr.bin" "Access Denied". This is the exact same style of box that came up on my wife's laptop when I got the original infection, so I'm very nervous (except that this time I know it's genuine!).

Unfortunately it also means that neither WinRAR nor 7-Zip can get access to it to zip it! What now?

Here are the other files:

Report.txt

Thu Mar 3 16:28:21 UTC 2011
Driver report for /mnt/sda2/i386/SP1/Windows/System32/Drivers /mnt/sda2/i386/SP1/Windows/System32/Drivers/mrxsmb.sys has NO Company Name! /mnt/sda2/i386/SP1/Windows/System32/Drivers/rdbss.sys has NO Company Name! /mnt/sda2/i386/SP1/Windows/System32/Drivers/srv.sys has NO Company Name!

7f09b37065b61ddbc6116f612e6183d1 /mnt/sda2/i386/SP1/Windows/System32/Drivers/mrxsmb.sys
Microsoft Corporation

1fd256b6025449dca3670574c0229d65 /mnt/sda2/i386/SP1/Windows/System32/Drivers/rdbss.sys
Microsoft Corporation

20fb95da0093f45825b6d0d74e1ffb9f /mnt/sda2/i386/SP1/Windows/System32/Drivers/srv.sys
Microsoft Corporation

Driver report for /mnt/sda2/i386/SP2/Windows/System32/Drivers /mnt/sda2/i386/SP2/Windows/System32/Drivers/mrxsmb.sys has NO Company Name! /mnt/sda2/i386/SP2/Windows/System32/Drivers/srv.sys has NO Company Name!

7b195060ff456fa65954c72c5c1640ff /mnt/sda2/i386/SP2/Windows/System32/Drivers/mrxsmb.sys
Microsoft Corporation

54e79b08d0abc9c551d0fe69cc2f87ec /mnt/sda2/i386/SP2/Windows/System32/Drivers/srv.sys
Microsoft Corporation

Driver report for /mnt/sda2/WINDOWS/system32/drivers

c1536905ad2067812a238bce998f4bff 1394bus.sys
Microsoft Corporation

6abb91494fe6c59089b9336452ab2ea3 ABP480N5.SYS
Microsoft Corporation

9859c0f6936e723e4892d7141b1327d5 acpiec.sys
Microsoft Corporation

8fd99680a539792a30e97944fdaecf17 acpi.sys
Microsoft Corporation

9a11864873da202c996558b2106b0bbc adpu160m.sys
Microsoft Corporation

8bed39e3c35d6a489438b8141717a557 aec.sys
Microsoft Corporation

7e775010ef291da96ad17ca4b17137d7 afd.sys
Microsoft Corporation

08fd04aa961bdc77fb983f328334e3d7 agp440.sys
Microsoft Corporation

03a7e0922acfe1b07d5db2eeb0773063 agpcpq.sys
Microsoft Corporation

c23ea9b5f46c7f7910db3eab648ff013 aha154x.sys
Microsoft Corporation

19dd0fb48b0c18892f70e2e7d61a1529 aic78u2.sys
Microsoft Corporation

b7fe594a7468aa0132deb03fb8e34326 aic78xx.sys
Microsoft Corporation

8525b88d8e902e7b587fca034b298693 alcacr.sys
Ht,,VS_VERSION_INFO-b-b?StringFileInfohbComments/bCompanyNameTHOMSONaFileDescriptionHelpervFileVersion...$InternalName/`LegalCopyrightCopyrightTHOMSON-(LegalTrademarks,OriginalFilename/PrivateBuild>ProductNameSpeedTouchUSB:vProductVersion...SpecialBuildDVarFileInfo$Translationt$(,

0940030d5a5869067ccc03e3b0b8dec7 alcan5wn.sys
H`VS_VERSION_INFO-b-b?StringFileInfopbComments/bCompanyNameTHOMSON>vFileDescriptionWANDrivervFileVersion...$InternalName/`LegalCopyrightCopyrightTHOMSON-(LegalTrademarks,OriginalFilename/PrivateBuild>ProductNameSpeedTouchUSB:vProductVersion...SpecialBuildDVarFileInfo$Translationt,

4c9577888c53243e2991456f510488a1 alcaudsl.sys
HVS_VERSION_INFO-b-b?StringFileInfopbComments/bCompanyNameTHOMSON>vFileDescriptionWDMDrivervFileVersion...$InternalName/`LegalCopyrightCopyrightTHOMSON-(LegalTrademarks,OriginalFilename/PrivateBuild>ProductNameSpeedTouchUSB:vProductVersion...SpecialBuildDVarFileInfo$Translationtb

66065ef8736cd9a4ee0f8b02055f45b5 alcawh.sys
H,,VS_VERSION_INFO-b-b?StringFileInfohbComments/bCompanyNameTHOMSONaFileDescriptionHelpervFileVersion...$InternalName/`LegalCopyrightCopyrightTHOMSON-(LegalTrademarks,OriginalFilename/PrivateBuild>ProductNameSpeedTouchUSB:vProductVersion...SpecialBuildDVarFileInfo$TranslationtXdhlp

1140ab9938809700b46bb88e46d72a96 aliide.sys
Acer Laboratories

cb08aed0de2dd889a8a820cd8082d83c alim1541.sys
Microsoft Corporation

95b4fb835e28aa1336ceeb07fd5b9398 amdagp.sys
Advanced Micro Devices

d7701d7e72243286cc88c9973d891057 amdk6.sys
Microsoft Corporation

8fce268cdbdd83b23419d1f35f42c7b1 amdk7.sys
Microsoft Corporation

79f5add8d24bd6893f2903a3e2f3fad6 amsint.sys
Microsoft Corporation

aeb775a2bae0f392ba6adc0bb706233a Apfiltr.sys
Alps Electric

b5b8a80875c1dededa8b02765642c32f arp1394.sys
Microsoft Corporation

69eb0cc7714b32896ccbfd5edcbea447 asc3350p.sys
Microsoft Corporation

5d8de112aa0254b907861e9e9c31d597 asc3550.sys
Advanced System Products

62d318e9a0c8fc9b780008e724283707 asc.sys
Advanced System Products

d880831279ed91f9a4190a2db9539ea9 asctrm.sys
Windows DDK provider

b153affac761e7f5fcfa822b9c4e97bc asyncmac.sys
Microsoft Corporation

9f3a2f5aa6875c72bf062c712cfa2674 atapi.sys
Microsoft Corporation

d649c57da6fa762c64013747e5d7d2d6 ati1btxx.sys
ATI Technologies

60b6aa2dc1521da343f781b70eb7895a ati1mdxx.sys
ATI Technologies

6fdc61e8e8e17f6ecc2d9a10fa8df347 ati1pdxx.sys
ATI Technologies

9d318099bf3876a4af4bc75966d27603 ati1raxx.sys
ATI Technologies

bcaf267b10620f8c93f6e87ab726e145 ati1rvxx.sys
ATI Technologies

dac7d785cf62f5bd41441e9d6f5a6efe ati1snxx.sys
ATI Technologies

f7706dae7d101f1b19ce552d772ebfce ati1ttxx.sys
ATI Technologies

6f714b4720dd80ffa9f8d2731594ea4c ati1tuxx.sys
ATI Technologies

67ffbc158dd4d27ba3fc92c6acd87f73 ati1xbxx.sys
ATI Technologies

0d8cab1f08f7d3c4de228b49e12e596a ati1xsxx.sys
ATI Technologies

2d030c2f6b036ca0bc243e1b16d924d1 ati2mtaa.sys
ATI Technologies

8759322ffc1a50569c1e5528ee8026b7 ati2mtag.sys
ATI Technologies

993e7bd6438fe989e328c6b4bca246a9 atinbtxx.sys
ATI Technologies

ed4c2bf8403f4437987c0ba09cf48716 atinmdxx.sys
ATI Technologies

e90ac2b14e98f1a4372e5891b4278784 atinpdxx.sys
ATI Technologies

da36687d701c833430605a298731410b atinraxx.sys
ATI Technologies

a7a01b907db63898d40b0a14248ff9a2 atinrvxx.sys
ATI Technologies

ceddee2e0591894d19654d458fd3b9be atinsnxx.sys
ATI Technologies

d80a8f6c0a717446496c3a06d33b0d9c atinttxx.sys
ATI Technologies

edd66332608d27f4fd5069bcd0bc5164 atintuxx.sys
ATI Technologies

3e7d485cbd0b0d9f6ea2ad9442411831 atinxbxx.sys
ATI Technologies

77b575d7aab35d5908ae6ce681608d62 atinxsxx.sys
ATI Technologies

9916c1225104ba14794209cfa8012159 atmarpc.sys
Microsoft Corporation

39a0a59180f19946374275745b21aeba atmepvc.sys
Microsoft Corporation

ae76348a2605fb197fa8ff1d6f547836 atmlane.sys
Microsoft Corporation

e7ef69b38d17ba01f914ae8f66216a38 atmuni.sys
Microsoft Corporation

d9f724aa26c010a217c97606b160ed68 audstub.sys
Microsoft Corporation

5b44c214f9cd9f590be9125347610380 avgntdd.sys
Avira Gmb

47b879406246ffdced59e18d331a0e7d avgntflt.sys
Avira Gmb

87451aa7cc6b6a590ebcea05e755075a avgntmgr.sys
Avira Gmb

da39805e2bad99d37fce9477dd94e7f2 avipbb.sys
Avira Gmb

0d93976f7801b7fcd8135cc77257bbd0 battc.sys
Microsoft Corporation

cd4646067cc7dcba1907fa0acf7e3966 bcm4sbxp.sys
Broadcom Corporation

da1f27d85e0d1525f6621372e7b685e9 beep.sys
Microsoft Corporation

f934d1b230f84e1d19dd00ac5a7a83ed bridge.sys
Microsoft Corporation

b279426e3c0c344893ed78a613a73bde bthenum.sys
Microsoft Corporation

fca6f069597b62d42495191ace3fc6c1 bthmodem.sys
Microsoft Corporation

80602b8746d3738f5886ce3d67ef06b6 bthpan.sys
Microsoft Corporation

662bfd909447dd9cc15b1a1c366583b4 bthport.sys
Microsoft Corporation

bb68cebffd181e18a26112d1b9f90f3d bthprint.sys
Microsoft Corporation

61364cd71ef63b0f038b7e9df00f1efa bthusb.sys
Microsoft Corporation

90a673fc8e12a79afbed2576f6a7aaf9 cbidf2k.sys
Microsoft Corporation

f3ec03299634490e97bbce94cd2954c7 cd20xrnt.sys
Microsoft Corporation

c1b486a7658353d33a10cc15211a873b cdaudio.sys
Microsoft Corporation

c885b02847f5d2fd45a24e219ed93b32 cdfs.sys
Microsoft Corporation

1f4260cc5b42272d71f79e570a27a4fe cdrom.sys
Microsoft Corporation

b562592b7f5759c99e179ca467ecfb4c cinemst2.sys
Ravisent Technologies

fe47dd8fe6d7768ff94ebec6c74b2719 classpnp.sys
Microsoft Corporation

0f6c187d38d98f8df904589a5f94d411 cmbatt.sys
Microsoft Corporation

e5dcb56c533014ecbc556a8357c929d5 cmdide.sys
CMD Technology

6e4c9f21f0fae8940661144f41b13203 compbatt.sys
Microsoft Corporation

3ee529119eed34cd212a215e8c40d4b6 cpqarray.sys
Microsoft Corporation

9624293e55ad405415862b504ca95b73 cpqdap01.sys
Compaq Computer Corp

f50d9bdbb25cce075e514dc07472a22f crusoe.sys
Microsoft Corporation

e550e7418984b65a78299d248f0a7f36 dac2w2k.sys
Mylex Corporation

683789caa3864eb46125ae86ff677d34 dac960nt.sys
Microsoft Corporation

e65e2353a5d74ea89971cb918eeeb2f6 diskdump.sys
Microsoft Corporation

044452051f3e02e7963599fc8f4f3e25 disk.sys
Microsoft Corporation

d992fe1274bde0f84ad826acae022a41 dmboot.sys
Microsoft Corp

7c824cf7bbde77d95c08005717a95f6f dmio.sys
Microsoft Corp

e9317282a63ca4d188c0df5e09c6ac5f dmload.sys
Microsoft Corp

8a208dfcf89792a484e76c40e5f50b45 dmusic.sys
Microsoft Corporation

40f3b93b4e5b0126f2f5c0a7a5e22660 dpti2o.sys
Microsoft Corporation

8f5fcff8e8848afac920905fbd9d33c8 drmkaud.sys
Microsoft Corporation

6cb08593487f5701d2d2254e693eafce drmk.sys
Microsoft Corporation

e814854e6b246ccf498874839ab64d77 drvmcdb.sys
Sonic Solutions

ee83a4ebae70bc93cf14879d062f548b drvnddm.sys
Sonic Solutions

fe97d0343acfdebdd578fc67cc91fa87 dxapi.sys
Microsoft Corporation

ac7280566a7bb85cb3291f04ddc1198e dxg.sys
Microsoft Corporation

a73f5d6705b1d820c19b18782e176efd dxgthk.sys
Microsoft Corporation

3fca03cbca11269f973b70fa483c88ef e100b325.sys
Intel Corporation

80d1b490b60e74e002dc116ec5d41748 enum1394.sys
Microsoft Corporation

38d332a6d56af32635675f132548343e fastfat.sys
Microsoft Corporation

92cdd60b6730b9f50f6a1a0c1f8cdc81 fdc.sys
Microsoft Corporation

d45926117eb9fa946a6af572fbe1caa3 fips.sys
Microsoft Corporation

9d27e7b80bfcdf1cdd9b555862d5e7f0 flpydisk.sys
Microsoft Corporation

b2cf4b0786f8212cb92ed2b50c6db6b0 fltmgr.sys
Microsoft Corporation

3e1e2bd4f39b0e2b7dc4f4d2bcc2779a fs_rec.sys
Microsoft Corporation

455f778ee14368468560bd7cb8c854d0 fsvga.sys
Microsoft Corporation

6ac26732762483366c3969c9e4d2259d ftdisk.sys
Microsoft Corporation

3a74c423cf6bcca6982715878f450a3b gagp30kx.sys
Microsoft Corporation

8182ff89c65e4d38b2de4bb0fb18564e GEARAspiWDM.sys
GEAR Software

573c7d0a32852b48f3058cfd8026f511 hdaudbus.sys
Windows Server DDK provider

7bd2de4c85eb4241eed57672b16a7d8d hidbth.sys
Microsoft Corporation

1af592532532a402ed7c060f6954004f hidclass.sys
Microsoft Corporation

bb1a6fb7d35a91e599973fa74a619056 hidir.sys
Microsoft Corporation

96eccf28fdbf1b2cc12725818a63628d hidparse.sys
Microsoft Corporation

ccf82c5ec8a7326c3066de870c06daf1 hidusb.sys
Microsoft Corporation

b028377dea0546a5fcfba928a8aefae0 hpn.sys
Microsoft Corporation

970178e8e003eb1481293830069624b9 hsfbs2s2.sys
Conexant

0c5b9cf1bdf998750d9c5eeb5f8c55ac HSF_CNXT.sys
Conexant

1225ebea76aac3c84df6c54fe5e5d8be hsfcxts2.sys
Conexant

ebb354438a4c5a3327fb97306260714a hsfdpsp2.sys
Conexant

b2dfc168d6f7512faea085253c5a37ad HSF_DP.sys
Conexant

b678fa91cf4a1c19b462d8db04cd02ab HSF_DPV.SYS
Conexant

a84bbbdd125d370593004f6429f8445c HSFHWICH.sys
Conexant

f80a415ef82cd06ffaf0d971528ead38 http.sys
Microsoft Corporation

9368670bd426ebea5e8b18a62416ec28 i2omgmt.sys
Microsoft Corporation

f10863bf1ccc290babd1a09188ae49e0 i2omp.sys
Microsoft Corporation

4a0b06aa8943c1e332520f7440c0aa30 i8042prt.sys
Microsoft Corporation

5a8e05f1d5c36abd58cffa111eb325ea ialmnt5.sys
Intel Corporation

083a052659f5310dd8b6a6cb05edcf8e imapi.sys
Microsoft Corporation

4a40e045faee58631fd8d91afc620719 ini910u.sys
Microsoft Corporation

b5466a9250342a7aa0cd1fba13420678 intelide.sys
Microsoft Corporation

8c953733d8f36eb2133f5bb58808b66b intelppm.sys
Microsoft Corporation

3bb22519a194418d5fec05d800a19ad0 ip6fw.sys
Microsoft Corporation

731f22ba402ee4b62748adaf6363c182 ipfltdrv.sys
Microsoft Corporation

b87ab476dcf76e72010632b5550955f5 ipinip.sys
Microsoft Corporation

cc748ea12c6effde940ee98098bf96bb ipnat.sys
Microsoft Corporation

23c74d75e36e7158768dd63d92789a91 ipsec.sys
Microsoft Corporation

c93c9ff7b04d772627a3646d89f7bf89 irenum.sys
Microsoft Corporation

05a299ec56e52649b1cf2fc52d20f2d7 isapnp.sys
Microsoft Corporation

463c1ec80cd17420a542b7f36a36f128 kbdclass.sys
Microsoft Corporation

692bcf44383d056aed41b045a323d378 kmixer.sys
Microsoft Corporation

b467646c54cc746128904e1654c750c1 ksecdd.sys
Microsoft Corporation

0753515f78df7f271a5e61c20bcd36a1 ks.sys
Microsoft Corporation

75b8ef2a089127e8a3b38f46cc366d79 mbamswissarmy.sys
Malwarebytes Corporation

f61b04f2bb5098a34817d776c59e5e7c mbam.sys
Malwarebytes Corporation

d1f8be91ed4ddb671d42e473e3fe71ab mcd.sys
Microsoft Corporation

3c318b9cd391371bed62126581ee9961 mdmxsdk.sys
Conexant

a7da20ab18a1bdae28b0f349e57da0d1 mf.sys
Microsoft Corporation

4ae068242760a1fb6e1a44bf4e16afa6 mnmdd.sys
Microsoft Corporation

dfcbad3cec1c5f964962ae10e0bcc8e1 modem.sys
Microsoft Corporation

35c9e97194c8cfb8430125f8dbc34d04 mouclass.sys
Microsoft Corporation

b1c303e17fb9d46e87a98e4ba6769685 mouhid.sys
Microsoft Corporation

a80b9a0bad1b73637dbcbba7df72d3fd mountmgr.sys
Microsoft Corporation

3f4bb95e5a44f3be34824e8e7caf0737 mraid35x.sys
American Megatrends

11d42bb6206f33fbb3ba0288d3ef81bd mrxdav.sys
Microsoft Corporation

f3aefb11abc521122b67095044169e98 mrxsmb.sys
Microsoft Corporation

c941ea2454ba8350021d774daf0f1027 msfs.sys
Microsoft Corporation

0a02c63c8b144bd8c86b103dee7c86a2 msgpc.sys
Microsoft Corporation

d1575e71568f4d9e14ca56b7b0453bf1 mskssrv.sys
Microsoft Corporation

325bb26842fc7ccc1fcce2c457317f3e mspclock.sys
Microsoft Corporation

bad59648ba099da4a17680b39730cb3d mspqm.sys
Microsoft Corporation

af5f4f3f14a8ea2c26de30f7a1e17136 mssmbios.sys
Microsoft Corporation

c53775780148884ac87c455489a0c070 mtlmnt5.sys
Smart Link

54886a652bf5685192141df304e923fd mtlstrm.sys
Smart Link

6dda78a0be692b61b668fab860f276cf mtxparhm.sys
Matrox Graphics

2f625d11385b1a94360bfc70aaefdee1 mup.sys
Microsoft Corporation

b538dcd9816ea35fa4f637cfc261aaa8 mutohpen.sys
Microsoft Corporation

1df7f42665c94b825322fae71721130d ndis.sys
Microsoft Corporation

1ab3d00c991ab086e69db84b6c0ed78f ndistapi.sys
Microsoft Corporation

f927a4434c5028758a842943ef1a3849 ndisuio.sys
Microsoft Corporation

edc1531a49c80614b2cfda43ca8659ab ndiswan.sys
Microsoft Corporation

9282bd12dfb069d3889eb3fcc1000a9b ndproxy.sys
Microsoft Corporation

5d81cf9a2f1a3a756b66cf684911cdf0 netbios.sys
Microsoft Corporation

74b2b2f5bea5e9a3dc021d685551bd3d netbt.sys
Microsoft Corporation

e9e47cfb2d461fa0fc75b7a74c6383ea nic1394.sys
Microsoft Corporation

be984d604d91c217355cdd3737aad25d nikedrv.sys
Diamond Multimedia Systems

1e421a6bcf2203cc61b821ada9de878b nmnt.sys
Microsoft Corporation

3182d64ae053d6fb034f44b6def8034a npfs.sys
Microsoft Corporation

78a08dd6a8d65e697c18e1db01c5cdca ntfs.sys
Microsoft Corporation

576b34ceae5b7e5d9fd2775e93b3db53 ntmtlfax.sys
Smart Link

73c1e1f395918bc2c6dd67af7591a3ad null.sys
Microsoft Corporation

2b298519edbfcf451d43e0f1e8f1006d nv4_mini.sys
NVIDIA Corporation

b305f3fad35083837ef46a0bbce2fc57 nwlnkflt.sys
Microsoft Corporation

c99b3415198d1aab7227f2c88fd664b9 nwlnkfwd.sys
Microsoft Corporation

8b8b1be2dba4025da6786c645f77f123 nwlnkipx.sys
Microsoft Corporation

56d34a67c05e94e16377c60609741ff8 nwlnknb.sys
Microsoft Corporation

c0bb7d1615e1acbdc99757f6ceaf8cf0 nwlnkspx.sys
Microsoft Corporation

ca33832df41afb202ee7aeb05145922f ohci1394.sys
Microsoft Corporation

b17228142cec9b3c222239fd935a37ca omci.sys
Dell

4bb30ddc53ebc76895e38694580cdfe9 oprghdlr.sys
Microsoft Corporation

c90018bafdc7098619a4a95b046b30f3 p3.sys
Microsoft Corporation

5575faf8f97ce5e713d108c2a58d7c7c parport.sys
Microsoft Corporation

beb3ba25197665d82ec7065b724171c6 partmgr.sys
Microsoft Corporation

70e98b3fd8e963a6a46a2e6247e0bea1 parvdm.sys
Microsoft Corporation

ccf5f451bb1a5a2a522a76e670000ff0 pciide.sys
Microsoft Corporation

52e60f29221d0d1ac16737e8dbf7c3e9 pciidex.sys
Microsoft Corporation

a219903ccf74233761d92bef471a07b1 pci.sys
Microsoft Corporation

9e89ef60e9ee05e3f2eef2da7397f1c1 pcmcia.sys
Microsoft Corporation

f50f7c27f131afe7beba13e14a3b9416 perc2hib.sys
Microsoft Corporation

6c14b9c19ba84f73d3a86dba11133101 perc2.sys
Microsoft Corporation

e82a496c3961efc6828b508c310ce98f portcls.sys
Microsoft Corporation

a32bebaf723557681bfc6bd93e98bd26 processr.sys
Microsoft Corporation

09298ec810b07e5d582cb3a3f9255424 psched.sys
Microsoft Corporation

80d317bd1c3dbc5d4fe7b1678c60cadd ptilink.sys
Parallel Technologies

7c81ae3c9b82ba2da437ed4d31bc56cf pxhelp20.sys
Sonic Solutions

0a63fb54039eb5662433caba3b26dba7 ql1080.sys
QLogic Corporation

6503449e1d43a0ff0201ad5cb1b8c706 ql10wnt.sys
Microsoft Corporation

156ed0ef20c15114ca097a34a30d8a01 ql12160.sys
QLogic Corporation

70f016bebde6d29e864c1230a07cc5e6 ql1240.sys
Microsoft Corporation

907f0aeea6bc451011611e732bd31fcf ql1280.sys
QLogic Corporation

fe0d99d6f31e4fad8159f690d68ded9c rasacd.sys
Microsoft Corporation

11b4a627bc9614b885c4969bfa5ff8a6 rasl2tp.sys
Microsoft Corporation

5bc962f2654137c9909c3d4603587dee raspppoe.sys
Microsoft Corporation

efeec01b1d3cf84f16ddd24d9d9d8f99 raspptp.sys
Microsoft Corporation

fdbb1d60066fcfbb7452fd8f9829b242 raspti.sys
Microsoft Corporation

01524cd237223b18adbb48f70083f101 rawwan.sys
Microsoft Corporation

7ad224ad1a1437fe28d89cf22b17780a rdbss.sys
Microsoft Corporation

4912d5b403614ce99c28420f75353332 rdpcdd.sys
Microsoft Corporation

15cabd0f7c00c47c70124907916af3f1 rdpdr.sys
Microsoft Corporation

6728e45b66f93c08f11de2e316fc70dd rdpwd.sys
Microsoft Corporation

e9aaa0092d74a9d371659c4c38882e12 recagent.sys
Smart Link

f828dd7e1419b6653894a8f97a0094c5 redbook.sys
Microsoft Corporation

851c30df2807fcfa21e4c681a7d6440e rfcomm.sys
Microsoft Corporation

a56fe08ec7473e8580a390bb1081cdd7 rio8drv.sys
Diamond Multimedia Systems

0a854df84c77a0be205bfeab2ae4f0ec riodrv.sys
Diamond Multimedia Systems

96f7a9a7bf0c9c0440a967440065d33c rmcast.sys
Microsoft Corporation

601844cbcf617ff8c868130ca5b2039d rndismp.sys
Microsoft Corporation

726548542afeca56257ff01eb13bb6d7 rndismpx.sys
Microsoft Corporation

d8b0b4ade32574b2d9c5cc34dc0dbbe7 rootmdm.sys
Microsoft Corporation

96b4494d4734970f47c566e098c4f527 s24trans.sys
Intel Corporation

0dbcc071a268e0340a2ba6bdd98bace4 s3gnbm.sys
SGraphics

76c465f570e90c28942d52ccb2580a10 scsiport.sys
Microsoft Corporation

8d04819a3ce51b9eb47e5689b44d43c4 sdbus.sys
Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv.sys
Macrovision Corporation

0f29512ccd6bead730039fb4bd2c85ce serenum.sys
Microsoft Corporation

cca207a8896d4c6a0c9ce29a4ae411a7 serial.sys
Microsoft Corporation

0fa803c64df0914b41f807ea276bf2a6 sffdisk.sys
Microsoft Corporation

d66d22d76878bf3483a6be30183fb648 sffp_mmc.sys
Microsoft Corporation

c17c331e435ed8737525c86a7557b3ac sffp_sd.sys
Microsoft Corporation

8e6b8c671615d126fdc553d1e2de5562 sfloppy.sys
Microsoft Corporation

6b33d0ebd30db32e27d1d78fe946a754 sisagp.sys
Silicon Integrated Systems

d9673011648a71ed1e1f77b831bc85e6 slnt7554.sys
Smart Link

2c1779c0feb1f4a6033600305eba623a slntamr.sys
Smart Link

f9b8e30e82ee95cf3e1d3e495599b99c slnthal.sys
Smart Link

db56bb2c55723815cf549d7fc50cfceb slwdmsup.sys
Smart Link

895be38a993b9bd5abbe570d63d88a2e smbali.sys
Microsoft Corporation

017daecf0ed3aa731313433601ec40fa smclib.sys
Microsoft Corporation

489703624dac94ed943c2abda022a1cd sonydcam.sys
Microsoft Corporation

83c0f71f86d3bdaf915685f3d568b20e sparrow.sys
Adaptec

ab8b92451ecb048a4d1de7c3ffcb4a9f splitter.sys
Microsoft Corporation

76bb022c2fb6902fd5bdd4f78fc13a5d sr.sys
Microsoft Corporation

0f6aefad3641a657e18081f52d0c15af srv.sys
Microsoft Corporation

d7968049be0adbb6a57cee3960320911 sscdbhk5.sys
Sonic Solutions

a36ee93698802cd899f98bfd553d8185 ssmdrv.sys
Avira Gmb

c3ffd65abfb6441e7606cf74f1155273 ssrtln.sys
Sonic Solutions

305cc42945a713347f978d78566113f3 STAC97.sys
SigmaTel

3e5d89099ded9e86e5639f411693218f stream.sys
Microsoft Corporation

3941d127aef12e93addf6fe6ee027e0f swenum.sys
Microsoft Corporation

8ce882bcc6cf8a62f2b2323d95cb3d01 swmidi.sys
Microsoft Corporation

1ff3217614018630d0a6758630fc698c symc810.sys
Symbios Logic

070e001d95cf725186ef8b20335f933c symc8xx.sys
LSI Logic

80ac1c4abbe2df3b738bf15517a51f2c sym_hi.sys
LSI Logic

bf4fab949a382a8e105f46ebb4937058 sym_u3.sys
LSI Logic

8b83f3ed0f1688b4958f77cd6d2bf290 sysaudio.sys
Microsoft Corporation

fd6093e3decd925f1cffc8a0dd539d72 tape.sys
Microsoft Corporation

4e53bbcc4be37d7a4bd6ef1098c89ff7 tcpip6.sys
Microsoft Corporation

9aefa14bd6b182d61e3119fa5f436d3d tcpip.sys
Microsoft Corporation

0539d5e53587f82d1b4fd74c5be205cf tdi.sys
Microsoft Corporation

6471a66807f5e104e4885f5b67349397 tdpipe.sys
Microsoft Corporation

c56b6d0402371cf3700eb322ef3aaf61 tdtcp.sys
Microsoft Corporation

88155247177638048422893737429d9e termdd.sys
Microsoft Corporation

699450901c5ccfd82357cbc531cedd23 tosdvd.sys
Microsoft Corporation

f2790f6af01321b172aa62f8e1e187d9 toside.sys
Microsoft Corporation

d74a8ec75305f1d3cfde7c7fc1bd62a9 tsbvcap.sys
Toshiba Corporation

8f861eda21c05857eb8197300a92501c tunmp.sys
Microsoft Corporation

d85938f272d1bcf3db3a31fc0a048928 uagp35.sys
Microsoft Corporation

5787b80c2e3c5e2f56c2a233d91fa2c9 udfs.sys
Microsoft Corporation

1b698a51cd528d8da4ffaed66dfc51b9 ultra.sys
Promise Technology
Promise Technology
Promise Technology
Promise Technology
Promise Technology

402ddc88356b1bac0ee3dd1580c76a31 update.sys
Microsoft Corporation

bee793d4a059caea55d6ac20e19b3a8f usb8023.sys
Microsoft Corporation

b6cc50279d6cd28e090a5d33244adc9a usb8023x.sys
Microsoft Corporation

4b8a9c16b6d9258ed99c512aecb8c555 usbaapl.sys
Apple

ce97845d2e3f0d274b8bac1ed07c6149 usbcamd2.sys
Microsoft Corporation

1c1a47b40c23358245aa8d0443b6935e usbcamd.sys
Microsoft Corporation

173f317ce0db8e21322e71b7e60a27e8 usbccgp.sys
Microsoft Corporation

596eb39b50d6ebd9b734dc4ae0544693 usbd.sys
Microsoft Corporation

65dcf09d0e37d4c6b11b5b0b76d470a7 usbehci.sys
Microsoft Corporation

1ab3cdde553b6e064d2e754efe20285c usbhub.sys
Microsoft Corporation

290913dc4f1125e5a82de52579a44c43 usbintel.sys
Microsoft Corporation

791912e524cc2cc6f50b5f2b52d1eb71 usbport.sys
Microsoft Corporation

a717c8721046828520c9edf31288fc00 usbprint.sys
Microsoft Corporation

a0b8cf9deb1184fbdd20784a58fa75d4 usbscan.sys
Microsoft Corporation

a32426d9b14a089eaa1d922e0c5801a9 usbstor.sys
Microsoft Corporation

26496f9dee2d787fc3e61ad54821ffe6 usbuhci.sys
Microsoft Corporation

63bbfca7f390f4c49ed4b96bfb1633e0 usbvideo.sys
Microsoft Corporation

55e01061c74a8cefff58dc36114a8d3f vdmindvd.sys
Ravisent Technologies

0d3a8fafceacd8b7625cd549757a7df1 vga.sys
Microsoft Corporation

754292ce5848b3738281b4f3607eaef4 viaagp.sys
Microsoft Corporation

3b3efcda263b8ac14fdf9cbdd0791b2e viaide.sys
Microsoft Corporation

e28726b72c46821a28830e077d39a55b videoprt.sys
Microsoft Corporation

4c8fcb5cc53aab716d810740fe59d025 volsnap.sys
Microsoft Corporation

f0608f3b5b6d16f4870e867f9d069b6b w29n51.sys
Intel Corporation

aced8c149b30f8496c237bcba3727b48 wacompen.sys
Microsoft Corporation

0308aef61941e4af478fa1a0f83812f5 wadv07nt.sys
Intel Corporation

714038a8aa5de08e12062202cd7eaeb5 wadv08nt.sys
Intel Corporation

7bb3aa595e4507a788de1cdc63f4c8c4 wadv09nt.sys
Intel Corporation

36e6c405b6143d09687f4056fd9a0d10 wadv11nt.sys
Intel Corporation

e20b95baedb550f32dd489265c1da1f6 wanarp.sys
Microsoft Corporation

352fa0e98bc461ce1ce5d41f64db558d watv06nt.sys
Intel Corporation

791cc45de6e50445be72e8ad6401ff45 watv10nt.sys
Intel Corporation

6768acf64b18196494413695f0c3a00f wdmaud.sys
Microsoft Corporation

c3880bf1bad0b8eb69efb07a9c3fa7d9 wg111v2.sys
NETGEAR

2f31b7f954bed437f2c75026c65caf7b wmilib.sys
Microsoft Corporation

cf4def1bf66f06964dc0d91844239104 wpdusb.sys
Microsoft Corporation

6abe6e225adb5a751622a9cc3bc19ce8 ws2ifsl.sys
Microsoft Corporation

f15feafffbb3644ccc80c5da584e6311 WudfPf.sys
Microsoft Corporation

28b524262bce6de1f7ef9f510ba3985b WudfRd.sys
Microsoft Corporation



Filefind.txt

Search results for Winlogon.exe

01c3346c241652f43aed8e2149881bfe /mnt/sda2/i386/winlogon.exe
490.5K Aug 4 2004

ed0ef0a136dec83df69f04118870003e /mnt/sda2/WINDOWS/system32/winlogon.exe
496.0K Apr 14 2008

ed0ef0a136dec83df69f04118870003e /mnt/sda2/WINDOWS/ServicePackFiles/i386/winlogon.exe
496.0K Apr 14 2008

01c3346c241652f43aed8e2149881bfe /mnt/sda2/WINDOWS/$NtServicePackUninstall$/winlogon.exe
490.5K Aug 4 2004


Search results for explorer.exe

7712df0cdde3a5ac89843e61cd5b3658 /mnt/sda2/WINDOWS/$hf_mig$/KB938828/SP2QFE/explorer.exe
1009.0K Jun 13 2007

12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda2/WINDOWS/explorer.exe
1009.5K Apr 14 2008

12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda2/WINDOWS/ServicePackFiles/i386/explorer.exe
1009.5K Apr 14 2008

a0732187050030ae399b241436565e64 /mnt/sda2/WINDOWS/$NtUninstallKB938828$/explorer.exe
1008.0K Aug 4 2004

97bd6515465659ff8f3b7be375b2ea87 /mnt/sda2/WINDOWS/$NtServicePackUninstall$/explorer.exe
1009.0K Jun 13 2007


Search results for Userinit.exe

39b1ffb03c2296323832acbae50d2aff /mnt/sda2/i386/userinit.exe
24.0K Aug 4 2004

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda2/WINDOWS/system32/userinit.exe
25.5K Apr 14 2008

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda2/WINDOWS/ServicePackFiles/i386/userinit.exe
25.5K Apr 14 2008

39b1ffb03c2296323832acbae50d2aff /mnt/sda2/WINDOWS/$NtServicePackUninstall$/userinit.exe
24.0K Aug 4 2004




RegReport.txt

Remote Registry Report

Hive </mnt/sda2/WINDOWS/system32/config/SOFTWARE>
\Microsoft\Windows NT\CurrentVersion> Value <ProductName> of type REG_SZ, data length 42 [0x2a]
Microsoft Windows XP
\Microsoft\Windows NT\CurrentVersion> Value <CSDVersion> of type REG_SZ, data length 30 [0x1e]
Service Pack 3
\Microsoft\Windows NT\CurrentVersion> Value <SystemRoot> of type REG_SZ, data length 22 [0x16]
C:\WINDOWS
\Microsoft\Windows NT\CurrentVersion\Windows> Value <AppInit_DLLs> of type REG_SZ, data length 2 [0x2]
(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
Explorer.exe
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 68 [0x44]
C:\WINDOWS\system32\userinit.exe,
(...)\Windows NT\CurrentVersion\Winlogon\Notify> Node has 12 subkeys and 0 values
<crypt32chain>
<cryptnet>
<cscdll>
<dimsntfy>
<igfxcui>
<ScCertProp>
<Schedule>
<sclgntfy>
<SensLogn>
<termsrv>
<WgaLogon>
<wlballoon>
\Microsoft\Windows\CurrentVersion\Run> Node has 1 subkeys and 13 values
<OptionalComponents>
size type value name [value if type DWORD]
108 REG_SZ <DVDLauncher>
74 REG_SZ <dla>
154 REG_SZ <ISUSScheduler>
66 REG_SZ <igfxtray>
60 REG_SZ <igfxhkcmd>
66 REG_SZ <igfxpers>
92 REG_SZ <IntelZeroConfig>
180 REG_SZ <IntelWireless>
102 REG_SZ <SunJavaUpdateSched>
118 REG_SZ <ISUSPM Startup>
200 REG_SZ <EPSON Stylus DX6000 Series>
70 REG_SZ <Apoint>
112 REG_SZ <avgnt>
(...)\Windows\CurrentVersion\policies\system> Node has 0 subkeys and 5 values
4 REG_DWORD <dontdisplaylastusername> 0 [0x0]
4 REG_DWORD <legalnoticecaption> 1 [0x1]
8 REG_SZ <legalnoticetext>
4 REG_DWORD <shutdownwithoutlogon> 1 [0x1]
4 REG_DWORD <undockwithoutlogon> 1 [0x1]


Hive </mnt/sda2/Documents and Settings/Administrator/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 0 values
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 0 subkeys and 1 values
size type value name [value if type DWORD]
4 REG_DWORD <NoDriveTypeAutoRun> 145 [0x91]


Hive </mnt/sda2/Documents and Settings/Alison/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 2 values
size type value name [value if type DWORD]
148 REG_SZ <swg>
104 REG_SZ <QuickTime Task>
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 0 subkeys and 1 values
4 REG_DWORD <NoDriveTypeAutoRun> 145 [0x91]


Hive </mnt/sda2/Documents and Settings/John/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 2 values
size type value name [value if type DWORD]
62 REG_SZ <ctfmon.exe>
148 REG_SZ <swg>
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 0 subkeys and 1 values
4 REG_DWORD <NoDriveTypeAutoRun> 145 [0x91]


Hive </mnt/sda2/Documents and Settings/Rosalinda/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 3 values
size type value name [value if type DWORD]
148 REG_SZ <swg>
104 REG_SZ <QuickTime Task>
62 REG_SZ <ctfmon.exe>
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 0 subkeys and 1 values
4 REG_DWORD <NoDriveTypeAutoRun> 145 [0x91]


Hive </mnt/sda2/Documents and Settings/Student/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 3 values
size type value name [value if type DWORD]
104 REG_SZ <QuickTime Task>
62 REG_SZ <ctfmon.exe>
148 REG_SZ <swg>
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 0 subkeys and 1 values
4 REG_DWORD <NoDriveTypeAutoRun> 145 [0x91]

I should add that after sending the above reply, I then clicked on the Avira dialogue box "More details" (which was positioned bottom right on my PC screen) to see what it said, then another Avira dialogue box appeared in the midddle of the screen, saying "Scanning.... ".

This looked exactly like the message I'd seen on the laptop, when I ended up installing the "System Tool" virus. This time I did what I'd been advised to do in this circumstance: crash out by holding down the PC's power off button (not Windows Start).

I waited to see if my PC would re-boot. It has, which is why I'm able to type this! Very scary, though! This Trojan is a real b******!

This post has been edited by Johnny Blue: 03 March 2011 - 12:23 PM

I believe there is an infection in the Master Boot Record, but I need to confirm that. Were you able to produce the mbr.bin? If you did, zip the file and attach it to a reply.

JSntgRvr, on 03 March 2011 - 03:22 PM, said:

Yes, the MBR is infected (the Avira Antivir Rescue Disk had already told me this, which I mentioned in my original post).

I was able to produce the mbr.bin file, and it is on the USB drive, but I can't zip it, for the reason I gave in my earlier reply (Post #6), which I repeat here:

One problem: everything went well (love that xPUD program! I'll have to convert to Linux one day!) until I put the USB into my desktop PC. The Avira dialogue box came up "Guard: Malware found" "BOO/TDss.A found in mbr.bin" "Access Denied". This is the exact same style of box that came up on my wife's laptop when I got the original infection, so I'm very nervous (except that this time I know it's genuine!).

Unfortunately it also means that neither WinRAR nor 7-Zip can get access to it to zip it! What now?

After I had sent that reply, I then tried to get rid of the Avira Antivir dialogue box, and this is what happened (see my post #7, above):

I should add that after sending the above reply, I then clicked on the Avira dialogue box "More details" (which was positioned bottom right on my PC screen) to see what it said, then another Avira dialogue box appeared in the midddle of the screen, saying "Scanning.... ".

This looked exactly like the message I'd seen on the laptop, when I ended up installing the "System Tool" virus. This time I did what I'd been advised to do in this circumstance: crash out by holding down the PC's power off button (not Windows Start).

I waited to see if my PC would re-boot. It has, which is why I'm able to type this! Very scary, though! This Trojan is a real b******!

JSntgRvr, I hope you can help me sort this out!

Meanwhile, another forum member has sent me this PM:

Can you download a Knoppix .iso file on another machine and burn the cd? If so, you can then boot up with the Knoppix and copy everything to an external or USB stick for a backup. I Knoppix all the time to recover data on Windows machines that won't boot.

Is this genuine, and a good idea? (I do not want to download another virus/Trojan, nor do I want to compromise the work you are doing for me.)

Many thanks for your time.

No. Stay with me.

Copy the MBR.bin to the desktop of a working computer. It wont do any harm. Right click on the file and select "Send to". Select Compressed (Zipped folder). Then attach the zipped fie to a reply. Once you have verified the file is attached, delete the mbr.bin from the computer.

Please do not accept personal messages on this issue.

Still can't do this, I'm afraid. Even using Vista Administrator Permissions, I can't do anything with this file, presumably because Avira is blocking access.

See attached screenshot to show you what I see.

I believe that clicking anything on that Avira dialogue installs the Trojan, so after sending this message, I'll turn off my PC. If you don't hear from me in a while, you'll know that now my PC has become infected.

EDIT:

Please ignore the fact that the MBR.BIN file is recognised by VLC (video-viewing software), which gives it the traffic cone icon.

This post has been edited by Johnny Blue: 04 March 2011 - 11:41 AM

OK, this is really weird!

I am posting this now from the "infected" laptop!

I turned it on and didn't act quickly enough to tell it to boot from the CD drive. Next thing I see the Windows XP logo (which I haven't seen on this machine since last Sunday!) and then it boots normally! Of course, I'm very suspicious, and have ran the Avira Boot Record test, which has ccme up negative (see screenshot). I don't know if this is the same as the MBR, which was (is?) infected according to the checks we ran.

I'm also running a check with Malwarebytes Anti-Malware and it's not found anything yet...

What on earth is going on here? I can't believe the Trojan has just disappeared of its own accord!

Johnny Blue, on 04 March 2011 - 11:16 AM, said:

You have a file association problem in that computer, but we can handle that later.

Johnny Blue, on 04 March 2011 - 01:50 PM, said:

Since it booted, follow these steps:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  -----------------------------------------------------------
  
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    
    If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton
    
    -----------------------------------------------------------
  
  
  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  
  -----------------------------------------------------------
  
• Double click on combofix.exe & follow the prompts.
  
• Install the Recovery Console if prompted.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\ComboFix.txt" .

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Combofix Log:

ComboFix 11-03-04.02 - John 04/03/2011 20:48:41.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.259 [GMT 0:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-04 to 2011-03-04 )))))))))))))))))))))))))))))))
.
.
2011-03-03 15:10 . 2011-03-03 15:12 -------- d-----w- C:\Store
2011-03-01 11:57 . 1999-04-24 03:22 93890 ------w- C:\COMMAND.COM
2011-02-15 23:12 . 2011-02-15 23:13 -------- d-----w- c:\program files\Apoint2K
2011-02-15 23:12 . 2011-02-15 23:12 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
2011-02-15 23:12 . 2011-02-15 23:12 108606 ----a-w- c:\windows\system32\SET76.tmp
2011-02-15 19:14 . 2011-02-15 19:14 -------- d-----w- c:\documents and settings\All Users\Uniblue
2011-02-15 19:02 . 2011-02-15 19:02 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{DE8EABB5-1C85-4410-A68D-79BD8A4518F4}
2011-02-15 19:01 . 2011-02-15 19:01 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\PackageAware
2011-02-15 18:59 . 2011-02-15 19:01 -------- d-----w- c:\program files\Uniblue
2011-02-11 15:00 . 2011-02-11 15:00 -------- d-----w- c:\documents and settings\Rosalinda\Local Settings\Application Data\Apple
2011-02-11 14:45 . 2011-02-11 14:45 -------- d-----w- c:\documents and settings\Rosalinda\Application Data\Avira
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-15 23:11 . 2005-08-03 12:29 86016 ----a-w- c:\windows\system32\mdmxsdk.dll
2011-02-15 23:11 . 2005-08-03 12:29 705408 ----a-w- c:\windows\system32\drivers\HSF_CNXT.sys
2011-02-15 23:11 . 2005-08-03 12:29 13059 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2011-02-15 23:11 . 2005-05-03 14:09 1033728 ----a-w- c:\windows\system32\drivers\HSF_DPV.SYS
2011-02-15 23:11 . 2005-08-03 12:29 208384 ----a-w- c:\windows\system32\drivers\HSFHWICH.sys
2011-02-15 23:11 . 2005-08-03 12:29 45568 ----a-w- c:\windows\system32\drivers\bcm4sbxp.sys
2011-01-21 14:44 . 2004-08-10 11:51 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 11:50 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 11:51 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-29 15:58 . 2010-12-04 18:50 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-22 12:34 . 2004-08-10 11:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08 . 2004-08-10 11:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2004-08-10 11:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2004-08-10 11:51 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2004-08-10 11:50 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 18:09 . 2009-07-22 18:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2009-07-22 18:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 17:26 . 2004-08-10 11:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-10 11:51 389120 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2004-08-10 11:51 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-10 11:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2004-08-10 11:51 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 21:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-05 15:27 . 2010-12-04 18:50 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-06 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-02-27 1368064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-27 1202448]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2001 Delivery Agent.lnk]
backup=c:\windows\pss\QuickBooks 2001 Delivery Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerSuite]
2010-12-23 16:37 67448 ----a-w- c:\program files\Uniblue\PowerSuite\Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 11:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-08-03 12:56 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedUpMyPC]
2011-02-15 19:00 67960 ----a-w- c:\program files\Uniblue\SpeedUpMyPC\Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-06 18:18 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"KService"=2 (0x2)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [04/12/2010 18:50 135336]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [26/12/2007 01:47 272128]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/02/2010 12:24 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
.
2011-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 12:24]
.
2011-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 12:24]
.
2011-03-04 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2010-12-23 19:03]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-04 21:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1395699086-1158974684-3220981258-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(712)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2011-03-04 21:08:01
ComboFix-quarantined-files.txt 2011-03-04 21:07
.
Pre-Run: 8,547,508,224 bytes free
Post-Run: 9,359,400,960 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 47806660FEA171177D0D2B89EE14D6ED

And, just in case you think I'm making all this up, here's the Avira Rescue disk log (from Thursday 3 March):

Avira / Linux Version 1.9.152.0
Copyright © 2010 by Avira GmbH
All rights reserved.
engine set: 8.2.4.176
VDF Version: 7.11.3.241
Scan start time: Thu Mar 3 15:28:33 2011
configuration file: /etc/avira/scancl.conf
Master boot sector (disk /dev/sda)
ALERT: [BOO/TDss.A] Master boot sector (disk /dev/sda) <<< Contains signature of the boot sector virus BOO/TDss.A


WARNING: [IO error on file] Master boot sector (disk /dev/sr0)


Boot sector (/dev/sda1)
Boot sector (/dev/sda2)
Boot sector (/dev/sda3)
Statistics :
Master boot sectors....... : 1
Infected.............. : 1
Ignored........... : 1
Boot sectors.............. : 3
Infected.............. : 0
Directories............... : 0
Files..................... : 1
Infected.............. : 0
Warnings.............. : 1
Suspicious............ : 0
Infections................ : 1

This post has been edited by Johnny Blue: 04 March 2011 - 05:19 PM