BleepingComputer.com: TROJAN:DOS/Alureon.E

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

TROJAN:DOS/Alureon.E Windows Defender Offline found this Trojan, but wont/can't remove

#1 User is offline   Chris Weeks 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 21
  • Joined: 07-November 11
  • Gender:Male

Posted 05 January 2012 - 03:47 AM

Hi.

I'm running Windows XP.

I feel it necessary to say, that despite the issues mentioned in this post my computer appears to be running normally...

Almost everytime I go to shut down my desktop PC it gives me the option 'install updates & shut down'.
This seemed irregular to me, for the last week or so it has been offering that same option on shutdown even though I thought it had already updated.

I did some research and thought that it could be some sort of virus, so I ran all my usual anti-virus & malware scanners and everything came back negative.

However, I found out about Windows Defender Offline, so I thought I'd utilise this program to check for any issues.

Windows Defender Online found 1 issue which is the TROJAN:DOS/Alureon.E but when trying to remove it error(s) occured:

Error Code 0x800704ec & Error Code 0x80501001

When I check the History in Windows Defender Offline it states that the virus has been removed, however when I rescan it appears again.

I've tried running Kaspersky's TDSSKiller, but it wont run, even after renaming it...

[I've also run Super Anti Spyware, Malwarebytes Anti-Malware, Stinger & Microsoft Security Essentials, none of which show that virus to be present.]

It would seem that this virus is a very nasty one and I really need help in removing it.

Thanks for any advice

Chris.

This post has been edited by Chris Weeks: 05 January 2012 - 03:51 AM

#2 User is offline   Chris Weeks 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 21
  • Joined: 07-November 11
  • Gender:Male

Posted 06 January 2012 - 11:50 AM

Update: I noted that the option to 'install updates & shut down' could well be appearing because a security update, namely: KB2633171 was trying to install (unsucessfully).

I manually downloaded the update. When trying to run I received the message: "The file ntkrnlpa.exe is open or is in use by another application"

I used Process Explorer to find the 'handle' and stopped ntkrnlpa.exe from running and then ran the manual updater, which then stated that update KB2633171 had been succesfully installed.

However, after restarting I've noticed the 'install updates & shut down' option is still there upon shutdown/restart, which leads me to believe that perhaps the problem lies within the 'ntkrnlpa.exe' process?

Any help would be greatly appreciated, as I just can't be sure that this PC is safe to use.

Chris.

#3 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,554
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 08 January 2012 - 03:16 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK

    Do not re-enable these drivers until otherwise instructed.


Download DDS:

    Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt

    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply


information and logs:

    In your next post I need the following

    • .logs from DDS
    • let me know of any problems you may have had


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#4 User is offline   Chris Weeks 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 21
  • Joined: 07-November 11
  • Gender:Male

Posted 08 January 2012 - 05:20 AM

Hi Gringo.

I have managed to solve the issue with my XP desktop and completely remove the virus, however, I noticed that when running an MBRCheck on my Vista laptop the message MBR Code Faked! appeared on one of my external hard drives.
As these computer's are Networked I assume the virus has spread from one to the other.

I would have approached solving the issue on the laptop in the same way I removed the virus from the desktop, however, my laptop has a faulty CD/DVD drive and I have to use an external CD/DVD Burner and am not sure how to boot from that.

On my desktop I ran Windows Defender Offline which flagged up the Virus, but as I'm not sure how to boot the laptop from a cd using the external CD/DVD drive I havent been able to run it to check for the same issue.

I've run TDSSKiller, Stinger, MSE, MBAM on the laptop, all with no issue returned, but what with the MBRCheck flagging up the faked MBR I assume that this means the extrenal hard drive is infected.

Any help would be much appreciated and sorry to take the topic off on a bit of a tangent.

Chris.

ps: should I stilll run the programs you've mentioned above, but now on the laptop?

I've also just noticed that even though I've recently removed some files to clear up some space on the external drive with the faked MBR, it keeps showing as being close to full. For example it had 11GB free earlier this morning, now it's showing as only having 3.72GB free!!

I have also notcied on more than one occasion that I have two versions of Windows Explorer running in my processes.

This post has been edited by Chris Weeks: 08 January 2012 - 06:04 AM

#5 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,554
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 08 January 2012 - 01:48 PM

Hello


show me the report that has the "faked MBR " message

gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#6 User is offline   Chris Weeks 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 21
  • Joined: 07-November 11
  • Gender:Male

Posted 08 January 2012 - 03:19 PM

Ok, here's the report...

Oops, had it attached, just read your sig, sry, here's the report...

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Sony Corporation
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Sony Corporation
System Product Name: VGN-AW11Z_B
Logical Drives Mask: 0x00000dfc

Kernel Drivers (total 178):
0x87C0C000 \SystemRoot\system32\ntkrnlpa.exe
0x87FC6000 \SystemRoot\system32\hal.dll
0x80602000 \SystemRoot\system32\kdcom.dll
0x80609000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80679000 \SystemRoot\system32\PSHED.dll
0x8068A000 \SystemRoot\system32\BOOTVID.dll
0x80692000 \SystemRoot\system32\CLFS.SYS
0x806D3000 \SystemRoot\system32\CI.dll
0x88202000 \SystemRoot\system32\drivers\Wdf01000.sys
0x88273000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x88281000 \SystemRoot\system32\drivers\acpi.sys
0x882C7000 \SystemRoot\system32\drivers\WMILIB.SYS
0x882D0000 \SystemRoot\system32\drivers\msisadrv.sys
0x882D8000 \SystemRoot\system32\drivers\pci.sys
0x882FF000 \SystemRoot\System32\drivers\partmgr.sys
0x8830E000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x88311000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8831B000 \SystemRoot\system32\drivers\volmgr.sys
0x8832A000 \SystemRoot\System32\drivers\volmgrx.sys
0x88374000 \SystemRoot\System32\drivers\mountmgr.sys
0x88807000 \SystemRoot\system32\drivers\iastor.sys
0x888D5000 \SystemRoot\system32\drivers\atapi.sys
0x888DD000 \SystemRoot\system32\drivers\ataport.SYS
0x888FB000 \SystemRoot\system32\drivers\fltmgr.sys
0x8892D000 \SystemRoot\system32\drivers\fileinfo.sys
0x8893D000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x88947000 \SystemRoot\System32\Drivers\TPkd.sys
0x88965000 \SystemRoot\System32\Drivers\ksecdd.sys
0x88A02000 \SystemRoot\system32\drivers\ndis.sys
0x88B0D000 \SystemRoot\system32\drivers\msrpc.sys
0x88B38000 \SystemRoot\system32\drivers\NETIO.SYS
0x8FE04000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8FF14000 \SystemRoot\system32\drivers\volsnap.sys
0x8FF4D000 \SystemRoot\System32\Drivers\spldr.sys
0x8FF55000 \SystemRoot\System32\Drivers\RapportKELL.sys
0x8FF61000 \SystemRoot\System32\Drivers\mup.sys
0x8FF70000 \SystemRoot\System32\drivers\ecache.sys
0x8FF97000 \SystemRoot\system32\drivers\disk.sys
0x8FFA8000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8FFC9000 \SystemRoot\system32\drivers\crcdisk.sys
0x8FFDF000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8FFEA000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x9440D000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x94D72000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x93E0A000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x93EAA000 \SystemRoot\System32\drivers\watchdog.sys
0x93EB6000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x93EC1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x93EFF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x93F0E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x93F9B000 \SystemRoot\system32\DRIVERS\yk60x86.sys
0x95006000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
0x95419000 \SystemRoot\system32\DRIVERS\jmcr_cfs.sys
0x95426000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0x9544C000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x9545C000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x9546A000 \SystemRoot\system32\DRIVERS\risdptsk.sys
0x9547B000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0x95495000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x954A8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x954B3000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x954DE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x954E0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x954EB000 \SystemRoot\system32\DRIVERS\SFEP.sys
0x954EE000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x95506000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x9550C000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x9551B000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x9551F000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x9554E000 \SystemRoot\system32\DRIVERS\storport.sys
0x9558F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x9559A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x955B1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x955BC000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x955DF000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x93FE7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x94D74000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x955EE000 \SystemRoot\system32\DRIVERS\termdd.sys
0x94D89000 \SystemRoot\system32\DRIVERS\NIWinCDEmu.sys
0x955FE000 \SystemRoot\system32\DRIVERS\swenum.sys
0x94D9B000 \SystemRoot\system32\DRIVERS\ks.sys
0x94DC5000 \SystemRoot\system32\DRIVERS\circlass.sys
0x93E00000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x94DD3000 \SystemRoot\system32\DRIVERS\AmdLLD.sys
0x94DE2000 \SystemRoot\system32\DRIVERS\umbus.sys
0x94DEF000 \SystemRoot\System32\drivers\vga.sys
0x88B73000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x88B94000 \SystemRoot\system32\DRIVERS\monitor.sys
0x88BA3000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x88BD8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x9860A000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x98816000 \SystemRoot\system32\drivers\portcls.sys
0x98843000 \SystemRoot\system32\drivers\drmk.sys
0x98868000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0x988A5000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x98407000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x984BB000 \SystemRoot\system32\drivers\modem.sys
0x984C8000 \SystemRoot\system32\drivers\nvhda32v.sys
0x984DB000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x98502000 \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\32029\RapportCerberus32_32029.sys
0x98538000 \SystemRoot\System32\Drivers\tcusb.sys
0x98543000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x9854C000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x98563000 \SystemRoot\System32\Drivers\Null.SYS
0x9856A000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x9857F000 \SystemRoot\System32\Drivers\Beep.SYS
0x98586000 \SystemRoot\System32\Drivers\usbvideo.sys
0x985B0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x985B7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x985BF000 \SystemRoot\system32\drivers\rdpencdd.sys
0x985C7000 \SystemRoot\System32\Drivers\Msfs.SYS
0x985D2000 \SystemRoot\System32\Drivers\Npfs.SYS
0x985E0000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x9900E000 \SystemRoot\System32\drivers\tcpip.sys
0x990FB000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x99116000 \SystemRoot\System32\Drivers\gbxusb.sys
0x9912B000 \SystemRoot\system32\DRIVERS\tdx.sys
0x99141000 \SystemRoot\system32\DRIVERS\smb.sys
0x99155000 \SystemRoot\System32\Drivers\gbxavs.sys
0x991AC000 \SystemRoot\system32\drivers\afd.sys
0x989A8000 \SystemRoot\system32\Drivers\rdwm1110.sys
0x88384000 \SystemRoot\System32\DRIVERS\netbt.sys
0x985E9000 \SystemRoot\system32\DRIVERS\pacer.sys
0x99000000 \SystemRoot\system32\DRIVERS\netbios.sys
0x989DB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x989EE000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0x883B6000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x889D6000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
0x88BE9000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
0x991F4000 \SystemRoot\system32\drivers\nsiproxy.sys
0x807B3000 \SystemRoot\system32\drivers\mfehidk.sys
0x94400000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x99601000 \SystemRoot\System32\Drivers\bthport.sys
0x99681000 \SystemRoot\system32\DRIVERS\DMICall.sys
0x99682000 \SystemRoot\System32\Drivers\dfsc.sys
0x99699000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x996C2000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0x996CC000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x996E6000 \SystemRoot\system32\drivers\btwavdt.sys
0x99759000 \SystemRoot\system32\drivers\btwaudio.sys
0x997DA000 \SystemRoot\system32\DRIVERS\btwl2cap.sys
0x997E4000 \SystemRoot\system32\DRIVERS\btwrchid.sys
0x997E7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x997F7000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x985A7000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x99C0F000 \SystemRoot\System32\Drivers\fastfat.SYS
0x86CC0000 \SystemRoot\System32\win32k.sys
0x99C44000 \SystemRoot\System32\drivers\Dxapi.sys
0x86EE0000 \SystemRoot\System32\TSDDD.dll
0x86F00000 \SystemRoot\System32\cdd.dll
0x99C4E000 \SystemRoot\system32\drivers\luafv.sys
0x86F10000 \SystemRoot\System32\ATMFD.DLL
0x99C6C000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x99C7C000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x99CA6000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x99CB0000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x99CC3000 \SystemRoot\system32\drivers\spsys.sys
0x99D73000 \SystemRoot\system32\drivers\HTTP.sys
0x99DE0000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x807E6000 \SystemRoot\system32\DRIVERS\bowser.sys
0xAE60D000 \SystemRoot\System32\drivers\mpsdrv.sys
0xAE622000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAE641000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAE67A000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xAE692000 \SystemRoot\System32\DRIVERS\srv2.sys
0xAE6BA000 \SystemRoot\System32\DRIVERS\srv.sys
0xAE721000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB0407000 \SystemRoot\system32\drivers\peauth.sys
0xB04E5000 \SystemRoot\system32\DRIVERS\cdfs.sys
0xB04FB000 \??\C:\Windows\system32\drivers\regi.sys
0xB04FD000 \SystemRoot\System32\Drivers\secdrv.SYS
0xB0507000 \SystemRoot\System32\drivers\tcpipreg.sys
0xB0513000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xB051B000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB0541000 \??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{964B8740-91F5-4677-B4BC-DAC0E2277BA1}\MpKsl633cb301.sys
0xB0547000 \SystemRoot\system32\DRIVERS\NisDrvWFP.sys
0xB0556000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x77280000 \Windows\System32\ntdll.dll

Processes (total 78):
0 System Idle Process
4 System
660 C:\Windows\System32\smss.exe
804 csrss.exe
844 csrss.exe
852 C:\Windows\System32\wininit.exe
892 C:\Windows\System32\services.exe
904 C:\Windows\System32\lsass.exe
912 C:\Windows\System32\lsm.exe
948 C:\Windows\System32\winlogon.exe
1100 C:\Windows\System32\svchost.exe
1144 C:\Windows\System32\nvvsvc.exe
1172 C:\Windows\System32\svchost.exe
1252 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1340 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
1484 C:\Windows\System32\svchost.exe
1508 C:\Windows\System32\svchost.exe
1528 C:\Windows\System32\svchost.exe
1624 C:\Windows\System32\audiodg.exe
1644 C:\Windows\System32\svchost.exe
1660 C:\Windows\System32\SLsvc.exe
1700 C:\Windows\System32\nvvsvc.exe
1844 C:\Windows\System32\svchost.exe
1956 C:\Windows\RTKAUDIOSERVICE.EXE
1988 C:\Program Files\Protector Suite QL\upeksvr.exe
476 C:\Windows\System32\dwm.exe
692 C:\Windows\explorer.exe
968 C:\Windows\System32\svchost.exe
1968 C:\Windows\System32\wlanext.exe
1768 C:\Windows\System32\taskeng.exe
1908 C:\Windows\System32\spoolsv.exe
1056 C:\Windows\System32\svchost.exe
2252 C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
2304 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2332 C:\Program Files\Bonjour\mDNSResponder.exe
2348 C:\Windows\System32\taskeng.exe
2388 C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe
2484 C:\Windows\System32\svchost.exe
2532 C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
2556 C:\Program Files\Intel\WiFi\bin\EvtEng.exe
2688 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
2784 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
2872 C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
2956 C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
3092 C:\Windows\System32\PnkBstrA.exe
3104 C:\Windows\System32\svchost.exe
3140 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
3204 C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
3224 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
3240 C:\Windows\System32\svchost.exe
3308 C:\Windows\System32\svchost.exe
3324 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
3436 C:\Windows\System32\SearchIndexer.exe
3496 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
3668 C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
2744 C:\Windows\System32\alg.exe
3408 WmiPrvSE.exe
3968 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2240 C:\Program Files\Epson Software\Event Manager\EEventManager.exe
4008 C:\Program Files\Microsoft Security Client\msseces.exe
1616 C:\Windows\System32\taskeng.exe
2928 C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
1676 C:\Windows\System32\mobsync.exe
4184 C:\Windows\System32\wbem\unsecapp.exe
4668 C:\Windows\System32\svchost.exe
5052 C:\Program Files\Mozilla Firefox\firefox.exe
5508 C:\Program Files\Mozilla Firefox\plugin-container.exe
748 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
1460 C:\Program Files\Windows Live\Contacts\wlcomm.exe
3908 C:\Program Files\iTunes\iTunes.exe
5128 C:\Program Files\iPod\bin\iPodService.exe
5024 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
4944 C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
5300 C:\Windows\System32\SearchProtocolHost.exe
5548 C:\Windows\System32\SearchFilterHost.exe
3044 dllhost.exe
4408 dllhost.exe
448 C:\Users\admin\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`d2400000 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`007e0000 (NTFS)
\\.\K: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (FAT32)
\\.\L: --> \\.\PhysicalDrive6 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHZ2320BHG1, Rev: 00410009
PhysicalDrive1 Model Number: FUJITSUMHZ2320BHG1, Rev: 00410009
PhysicalDrive5 Model Number: SAMSUNGSP2514N, Rev: VF10
PhysicalDrive6 Model Number: TOSHIBAUSB 3.5"-HDD, Rev: 100

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979
298 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
232 GB \\.\PhysicalDrive5 RE: Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
465 GB \\.\PhysicalDrive6 MBR Code Faked!
SHA1: 2EE7B88691D5D8851AC973481E48A167DFC99E00


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

This post has been edited by Chris Weeks: 08 January 2012 - 03:30 PM

#7 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,554
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 08 January 2012 - 05:20 PM

Print out these instructions to use while in the Recovery Console:

    1.Restart your computer.
    2.Before Windows loads, you will be prompted to choose which Operating System to start.
    3.Use the up and down arrow key to select Microsoft Windows Recovery Console
    4.You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
    5.At the C:\Windows prompt, type the following bolded entries, and press 'Enter'

      fixmbr \Device\HardDisk5


    after it restarts repeat for this drive

    fixmbr \Device\HardDisk6

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#8 User is offline   Chris Weeks 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 21
  • Joined: 07-November 11
  • Gender:Male

Posted 08 January 2012 - 05:59 PM

Hi, sorry but you say "Before Windows loads, you will be prompted to choose which Operating System to start." I never see this prompt.

I've never had to use the Microsoft Windows Recovery Console in Vista, so I'm not sure how to get into it!

& many thanks for your responses so far

Chris.

Update: I looked into how to do it and went into 'Command Prompt' under the System Recovery Options. I tried entering fixmbr \Device\HardDisk5 but received the message "is not recognized as an internal or external command, openable program or batch file".

I found some information that in Vista you have to use bootrec.exe which I did, but then the option to /FixMbr gave me the same message.

I noted that on examples given of working within Command Prompt it says: X:\Sources>, however mine reads X:\windows\system32>

I'm not really sure where to go for here...

This post has been edited by Chris Weeks: 08 January 2012 - 06:58 PM

#9 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,554
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 08 January 2012 - 08:34 PM

Run MBRCheck.exe

  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter 2 and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 6 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
  • The program will prompt for confirmation. Type 'YES' and hit Enter.
  • Left click on the title bar (where program name and path is written).
  • From menu chose Edit -> Select All
  • Hit the Enter key on your keyboard to copy selected text.
  • Paste that text into Notepad, save it to your desktop as "MBRCheck results.txt"
  • Restart your PC.
  • Post the text in "MBRCheck results.txt" here, please.

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#10 User is offline   Chris Weeks 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 21
  • Joined: 07-November 11
  • Gender:Male

Posted 09 January 2012 - 04:32 AM

OK...

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Sony Corporation
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Sony Corporation
System Product Name: VGN-AW11Z_B
Logical Drives Mask: 0x00000dfc

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`d2400000 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`007e0000 (NTFS)
\\.\K: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (FAT32)
\\.\L: --> \\.\PhysicalDrive6 at offset 0x00000000`00007e00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979
298 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
232 GB \\.\PhysicalDrive5 RE: Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
465 GB \\.\PhysicalDrive6 MBR Code Faked!
SHA1: E832F9733E00E61E57AE83F2BC7D7B0AF605109B


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 6
Available MBR codes:
[ 0] Default (Windows Vista)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: YES
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!
Press ENTER to exit...

This post has been edited by Chris Weeks: 09 January 2012 - 06:08 PM

#11 User is offline   Chris Weeks 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 21
  • Joined: 07-November 11
  • Gender:Male

Posted 11 January 2012 - 03:09 AM

*Bump*


"If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic"

#12 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,554
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 11 January 2012 - 08:44 AM

Hello


been doing some research on this


if none of your onboard antivirus is picking it up then just leave it alone


with those drives not being the boot drives those MBR are not active and if you ever was to load an os on them then they would be rewritten anyway - they are not active and IF they were infected they can't do anything anyway


my best advice is to leave them alone so as not to break something


gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#13 User is offline   Chris Weeks 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 21
  • Joined: 07-November 11
  • Gender:Male

Posted 11 January 2012 - 10:07 AM

Hey Gringo, I too have been looking into it and came to a similar conclusion, the age-old "if it ain't broke, don't fix it", however it's always nice to have that reaffirmed by someone who knows way more about these things than I do, hence the *bump*;)

I've been backing up data from the drive with the 'Faked MBR' just in case, but generally speaking everything seems to be behaving itself and I've had no issues flagged up from any of my various onboard scanners.

I think I will stop using that external drive once all the relevant data from it is backed up, time to buy a new one methinks...


Thanks for your help & advice, much appreciated.

Chris

#14 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,554
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 11 January 2012 - 10:40 AM

Hello


I think I will stop using that external drive once all the relevant data from it is backed up, time to buy a new one methinks...

I don't think you have any problems if you do use it

The MBR has to do with telling the computer how to startup - since this dive has no bootable OS on it- there is nothing that mbr can do and it is never even looked at by anything

This post has been edited by gringo_pr: 11 January 2012 - 10:40 AM

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#15 User is offline   Chris Weeks 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 21
  • Joined: 07-November 11
  • Gender:Male

Posted 11 January 2012 - 01:41 PM

Ah, ok man, thanks;)

I would never have checked this laptop with MBRCheck had I not had to deal with the virus on the desktop, so really it's my own meddling that made me panic.

Sometimes ignorance is bliss:)

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users