Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Mebroot.mbr trojan


  • Please log in to reply
21 replies to this topic

#1 JustcallmeRey

JustcallmeRey

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 24 December 2009 - 05:45 PM

Posted Image

This is what happens when I try and clean.

Posted Image


It showed up when I plugged my external hard drive after I restarted my computer.

Before it said it was on the 2. physical disk, that might have been my second hard drive which was disconnected when I plugged in my external, because prior I received the same alert saying it was on 2. physical disk when they were both plugged in. I disconnected the external and left my second hard drive plugged in, then I began to run scans and I followed some tips from a few sites to get rid of it. I've also reformatted windows and to get rid of it. I ran scans after and I had nothing, everything was fine, but then I was stupid and plugged in my external hard drive then I get the alert posted in the screen shot, I disconnected it quickly. I ran a scan after that and I have nothing.

Do I still have the bug? Because that only popped up because I connected my external hard drive. When I disconnected the external I ran scans, I get nothing on my computers hard drive. Is my pc and second hard drive clean and only my external is dirty? I ran scans on my second hard drive and it's clean as well. I read up on this virus and it's pretty nasty, I currently have Nod32 and Malwarebytes.

I want to know if the virus is hiding itself or if it's finally gone. Some help would be greatly appreciated, forgive me if my explanation sucks.

This is my Malwarebytes log

Malwarebytes' Anti-Malware 1.42
Database version: 3425
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/24/2009 7:32:43 AM
mbam-log-2009-12-24 (07-32-43).txt

Scan type: Full Scan (C:|D:|F:|)
Objects scanned: 175251
Time elapsed: 1 hour(s), 6 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterAntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterFirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




This is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:15 AM, on 12/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesESETESET Smart Securityekrn.exe
C:Program FilesCommon FilesNew BoundaryPrismXLPRISMXL.SYS
C:Program FilesDigital Media Readershwiconem.exe
C:WINDOWSsystem32igfxtray.exe
C:WINDOWSsystem32hkcmd.exe
C:Program FilesCyberLinkPowerDVDPDVDServ.exe
C:Program FilesESETESET Smart Securityegui.exe
C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:WINDOWSsystem32wuauclt.exe
C:Documents and SettingsOwnerDesktophi jack thisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:PROGRA~1MICROS~2Office12GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar1.dll
O4 - HKLM..Run: [SunKistEM] C:Program FilesDigital Media Readershwiconem.exe
O4 - HKLM..Run: [IgfxTray] C:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [RemoteControl] "C:Program FilesCyberLinkPowerDVDPDVDServ.exe"
O4 - HKLM..Run: [Recguard] %WINDIR%SMINSTRECGUARD.EXE
O4 - HKLM..Run: [Reminder] %WINDIR%CreatorRemind_XP.exe
O4 - HKLM..Run: [egui] "C:Program FilesESETESET Smart Securityegui.exe" /hide /waitservice
O4 - HKLM..Run: [GrooveMonitor] "C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe"
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [Aim] "C:Program FilesAIMaim.exe" /d locale=en-US
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
O4 - Global Startup: BigFix.lnk = C:Program FilesBigFixBigFix.exe
O4 - Global Startup: Install Pending Files.LNK = C:Program FilesSIFXINSTSIFXINST.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSsystem32Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:PROGRA~1MICROS~2Office12GR99D3~1.DLL
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:Program FilesESETESET Smart SecurityEHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:Program FilesESETESET Smart Securityekrn.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:Program FilesCommon FilesNew BoundaryPrismXLPRISMXL.SYS

--
End of file - 3931 bytes



ComboFix Log

ComboFix 09-12-24.02 - Owner 12/24/2009 8:12.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.751.485 [GMT -8:00]
Running from: c:documents and settingsOwnerDesktopComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:recyclerS-1-5-21-3425661521-1243843623-4044898816-1003
c:windowssystem32404Fix.exe
c:windowssystem32Agent.OMZ.Fix.exe
c:windowssystem32dumphive.exe
c:windowssystem32IEDFix.C.exe
c:windowssystem32IEDFix.exe
c:windowssystem32o4Patch.exe
c:windowssystem32Process.exe
c:windowssystem32SrchSTS.exe
c:windowssystem32tmp.reg
c:windowssystem32VACFix.exe
c:windowssystem32VCCLSID.exe
c:windowssystem32WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.

2009-12-24 14:28 . 2009-12-24 14:28 -------- d-----w- c:documents and settingsOwnerApplication DataCyberLink
2009-12-24 14:28 . 2009-12-24 14:28 -------- d-----w- c:documents and settingsAll UsersApplication DataCyberLink
2009-12-24 12:56 . 2009-12-24 12:56 -------- d-----w- c:windowsSun
2009-12-24 11:44 . 2006-10-27 03:56 33104 ----a-w- c:windowssystem32Spoolprtprocsw32x86msonpppr.dll
2009-12-24 11:44 . 2006-10-27 03:56 32592 ----a-w- c:windowssystem32msonpmon.dll
2009-12-24 11:42 . 2009-12-24 11:42 -------- d-----w- c:program filesMicrosoft Works
2009-12-24 11:41 . 2009-12-24 11:41 -------- d-----w- c:program filesMSBuild
2009-12-24 11:38 . 2009-12-24 11:38 -------- d-----w- c:program filesMicrosoft.NET
2009-12-24 11:31 . 2009-12-24 11:40 -------- d-----w- c:windowsSHELLNEW
2009-12-24 11:31 . 2009-12-24 11:31 -------- d-----w- c:documents and settingsOwnerLocal SettingsApplication DataMicrosoft Help
2009-12-24 11:31 . 2009-12-24 11:45 -------- d-----w- c:documents and settingsAll UsersApplication DataMicrosoft Help
2009-12-24 11:30 . 2009-12-24 11:30 -------- d-----r- C:MSOCache
2009-12-24 10:45 . 2009-12-24 10:45 -------- d-----w- c:documents and settingsOwnerLocal SettingsApplication DataApplicationHistory
2009-12-24 08:49 . 2009-12-24 08:49 -------- d-----w- c:program filesoCommunitySuite-3.0
2009-12-24 06:47 . 2009-12-24 06:47 -------- d-----w- c:documents and settingsOwnerLocal SettingsApplication DataGoogle
2009-12-24 06:45 . 2009-12-23 21:28 -------- d-----w- c:documents and settingsAll UsersApplication DataESET
2009-12-24 06:36 . 2004-08-20 23:50 159744 ----a-w- c:windowssystem32igfxres.dll
2009-12-24 06:35 . 2009-12-24 05:21 -------- d-----w- c:windowssystem32configsystemprofileWINDOWS
2009-12-24 06:35 . 2009-12-24 06:12 45056 ----a-r- c:documents and settingsDefault UserApplication DataMicrosoftInstaller{15377C3E-9655-400F-B441-E69F0A6BEAFE}NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-12-24 06:35 . 2009-12-24 06:12 10134 ----a-r- c:documents and settingsDefault UserApplication DataMicrosoftInstaller{15377C3E-9655-400F-B441-E69F0A6BEAFE}ARPPRODUCTICON.exe
2009-12-24 06:35 . 2009-12-24 06:12 49152 ----a-r- c:documents and settingsDefault UserApplication DataMicrosoftInstaller{15377C3E-9655-400F-B441-E69F0A6BEAFE}NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-12-24 06:35 . 2009-12-24 06:12 45056 ----a-r- c:documents and settingsDefault UserApplication DataMicrosoftInstaller{15377C3E-9655-400F-B441-E69F0A6BEAFE}NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-12-24 06:35 . 2009-12-24 07:00 -------- d-----w- c:documents and settingsDefault UserApplication DataAOL
2009-12-24 06:35 . 2009-12-24 06:13 -------- d-----w- c:documents and settingsDefault UserApplication DataYou've Got Pictures Screensaver
2009-12-24 06:35 . 2009-12-24 06:12 -------- d-----w- c:documents and settingsDefault UserApplication DataSampleView
2009-12-24 06:35 . 2009-12-24 05:21 -------- d-----w- c:documents and settingsDefault UserWINDOWS
2009-12-24 06:27 . 2009-12-24 07:00 -------- d-----w- c:documents and settingsOwnerApplication DataAOL
2009-12-24 06:19 . 2009-12-24 06:46 -------- d-----w- c:program filesCommon FilesMcAfee
2009-12-24 06:19 . 2009-12-24 06:46 -------- d-----w- c:documents and settingsAll UsersApplication DataMcAfee
2009-12-24 06:19 . 2009-12-24 06:19 -------- d-----w- c:documents and settingsAll UsersApplication DataMcAfee.com
2009-12-24 06:19 . 2009-12-23 21:21 -------- d-----w- c:program filesMcAfee
2009-12-24 06:18 . 2005-03-08 00:05 341568 ----a-w- c:windowssystem32mcinsctl.dll
2009-12-24 06:18 . 2005-02-15 20:34 277616 ----a-w- c:windowssystem32mcgdmgr.dll
2009-12-24 06:18 . 2008-07-09 07:38 26488 ----a-w- c:windowssystem32spupdsvc.exe
2009-12-24 06:17 . 2009-12-24 10:35 -------- d--h--w- c:windows$hf_mig$
2009-12-24 06:16 . 2004-08-04 19:00 221184 ----a-w- c:windowssystem32wmpns.dll
2009-12-24 06:15 . 2003-03-25 13:00 67072 ----a-w- c:windowsPOWERCFG.EXE
2009-12-24 06:15 . 2009-12-24 06:15 -------- d-----w- c:program filesCommon FilesAdobe
2009-12-24 06:12 . 2009-12-23 21:21 -------- d-----w- c:program filesPure Networks
2009-12-24 06:12 . 2009-12-24 06:12 -------- d-----w- c:documents and settingsOwnerApplication DataSampleView
2009-12-24 06:12 . 2009-12-23 21:01 -------- d-----w- c:documents and settingsAll UsersApplication DataAOL
2009-12-24 06:12 . 2009-12-24 07:02 -------- d-----w- c:program filesCommon FilesAOL
2009-12-24 06:12 . 2009-12-24 06:12 335 ----a-w- c:windowsnsreg.dat
2009-12-24 06:12 . 2009-12-24 06:12 49152 ----a-r- c:documents and settingsOwnerApplication DataMicrosoftInstaller{15377C3E-9655-400F-B441-E69F0A6BEAFE}NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-12-24 06:12 . 2009-12-24 06:12 45056 ----a-r- c:documents and settingsOwnerApplication DataMicrosoftInstaller{15377C3E-9655-400F-B441-E69F0A6BEAFE}NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-12-24 06:12 . 2009-12-24 06:12 45056 ----a-r- c:documents and settingsOwnerApplication DataMicrosoftInstaller{15377C3E-9655-400F-B441-E69F0A6BEAFE}NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-12-24 06:12 . 2009-12-24 06:12 10134 ----a-r- c:documents and settingsOwnerApplication DataMicrosoftInstaller{15377C3E-9655-400F-B441-E69F0A6BEAFE}ARPPRODUCTICON.exe
2009-12-24 06:11 . 2009-12-24 06:56 -------- d-----w- c:documents and settingsAll UsersApplication DataNapster
2009-12-24 06:11 . 2009-12-24 06:11 4 ----a-w- c:windowsPix11.dat
2009-12-24 06:10 . 2004-09-04 00:07 20480 ----a-w- c:windowssystem32Marker32.exe
2009-12-24 06:10 . 2009-12-24 06:10 -------- d-----w- c:program filesSIFXINST
2009-12-24 06:09 . 2009-12-24 06:10 -------- d-----w- c:program filesJava
2009-12-24 06:09 . 2009-12-24 06:09 -------- d-----w- c:program filesCommon FilesJava
2009-12-24 06:09 . 2009-12-24 06:09 -------- d-----w- c:documents and settingsOwnerLocal SettingsApplication Data{3248F0A6-6813-11D6-A77B-00B0D0150020}
2009-12-24 06:09 . 2009-12-24 06:09 -------- d-----w- c:program filesCyberLink
2009-12-24 06:06 . 2004-03-22 22:17 25840 ----a-w- c:windowssystem32Spoolprtprocsw32x86mdippr.dll
2009-12-24 06:06 . 2004-03-22 22:17 24816 ----a-w- c:windowssystem32mdimon.dll
2009-12-24 06:04 . 2004-08-04 08:56 4096 ----a-w- c:windowssystem32ksuser.dll
2009-12-24 06:04 . 2004-08-04 07:15 145792 ----a-w- c:windowssystem32driversportcls.sys
2009-12-24 06:04 . 2004-08-04 07:08 60288 ----a-w- c:windowssystem32driversdrmk.sys
2009-12-24 06:04 . 2004-10-27 23:49 73728 ------w- c:windowssoundman.exe
2009-12-24 06:04 . 2004-10-27 22:57 2284864 ----a-w- c:windowssystem32driversALCXWDM.SYS
2009-12-24 06:04 . 2004-09-07 23:23 156672 ----a-w- c:windowssystem32RTLCPAPI.dll
2009-12-24 06:04 . 2004-02-26 03:00 40448 ------w- c:windowssystem32ChCfg.exe
2009-12-24 06:04 . 2004-10-27 22:17 9179648 ------w- c:windowssystem32RTLCPL.exe
2009-12-24 06:04 . 2004-11-06 01:29 208896 ------w- c:windowsalcupd.exe
2009-12-24 06:04 . 2004-09-02 05:04 139264 ------w- c:windowsalcrmv.exe
2009-12-24 06:04 . 2004-07-20 22:24 1136 ------w- c:windowssystem32driversalcxinit.dat
2009-12-24 05:58 . 2009-12-23 21:21 -------- d-----w- c:documents and settingsAll UsersApplication DataSymantec
2009-12-24 05:58 . 2009-12-24 05:58 -------- d-----w- c:program filesGoogle
2009-12-24 05:58 . 2009-12-24 05:58 -------- d-----w- c:program filesBigFix
2009-12-24 05:58 . 2001-11-02 18:31 18000 ----a-w- c:windowsBigFixClientOverride.dll
2009-12-24 05:58 . 2009-12-24 05:58 -------- d-----w- c:program filesIntel
2009-12-24 05:57 . 2009-12-24 06:11 -------- d--h--w- c:program filesInstallShield Installation Information
2009-12-24 05:51 . 2009-12-24 05:51 -------- d-----w- c:documents and settingsAll UsersApplication DataPrism Deploy
2009-12-24 05:51 . 2009-12-24 05:51 -------- d-----w- c:program filesCommon FilesNew Boundary
2009-12-24 05:48 . 2009-12-24 05:49 -------- d-----w- c:windowssystem32URTTemp
2009-12-24 05:48 . 2001-08-17 21:48 12160 ----a-w- c:windowssystem32driversmouhid.sys
2009-12-24 05:48 . 2004-08-04 08:56 21504 ----a-w- c:windowssystem32hidserv.dll
2009-12-24 05:48 . 2001-08-17 22:02 9600 ----a-w- c:windowssystem32drivershidusb.sys
2009-12-24 05:47 . 2009-12-24 05:47 -------- d-----w- c:program filesCONEXANT
2009-12-24 05:47 . 2004-08-04 08:56 7168 ----a-w- c:windowssystem32hccoin.dll
2009-12-24 05:47 . 2004-08-04 07:08 26624 ----a-w- c:windowssystem32driversusbehci.sys
2009-12-24 05:28 . 2009-12-24 05:28 60 ----a-w- c:windowssystem32SYSDRV.DAT
2009-12-24 05:28 . 2009-12-24 06:24 -------- d-----w- c:windowscreator
2009-12-24 05:25 . 2001-08-17 22:36 13824 ----a-w- c:windowssystem32wowfaxui.dll
2009-12-24 05:24 . 2001-08-17 22:36 69699 ----a-w- c:windowssystem32usrcoina.dll
2009-12-24 05:23 . 2004-08-03 23:08 16000 ----a-w- c:windowssystem32driversusbintel.sys
2009-12-24 05:22 . 2004-08-03 23:01 196864 -c--a-w- c:windowssystem32dllcacherdpdr.sys
2009-12-24 05:22 . 2004-08-04 00:56 47104 ----a-w- c:windowssystem32cnbjmon.dll
2009-12-24 05:22 . 2009-12-24 05:22 -------- d-----w- c:documents and settingsOwnerLocal SettingsApplication DataMozilla
2009-12-24 05:18 . 2009-12-24 09:23 -------- d-----w- c:documents and settingsOwnerLocal SettingsApplication DataAdobe
2009-12-24 05:13 . 2009-12-23 22:46 -------- d-s---w- c:documents and settingsOwnerUserData
2009-12-24 01:49 . 2004-08-04 08:56 21504 ----a-w- c:windowssystem32drivershidserv.dll
2009-12-24 01:43 . 2009-12-24 01:43 -------- d-----w- c:windowsServicePackFiles
2009-12-23 23:32 . 2009-12-23 23:48 -------- d-----w- c:windowssystem32CatRoot_bak
2009-12-23 23:27 . 2008-06-13 13:10 272128 -c----w- c:windowssystem32dllcachebthport.sys
2009-12-23 23:27 . 2008-06-13 13:10 272128 ------w- c:windowssystem32driversbthport.sys
2009-12-23 23:22 . 2008-10-24 11:10 453632 -c----w- c:windowssystem32dllcachemrxsmb.sys
2009-12-23 23:19 . 2009-08-04 13:58 2136064 -c----w- c:windowssystem32dllcachentkrnlmp.exe
2009-12-23 23:19 . 2009-08-04 14:00 2180352 -c----w- c:windowssystem32dllcachentoskrnl.exe
2009-12-23 23:19 . 2009-08-04 13:13 2015744 -c----w- c:windowssystem32dllcachentkrpamp.exe
2009-12-23 23:19 . 2009-08-04 13:13 2057728 -c----w- c:windowssystem32dllcachentkrnlpa.exe
2009-12-23 23:17 . 2009-12-23 23:17 -------- d-----w- c:program filesESET
2009-12-23 21:31 . 2009-12-23 21:31 -------- d-----w- c:documents and settingsOwnerApplication DataESET
2009-12-23 21:24 . 2009-12-23 21:24 -------- d-----w- c:documents and settingsOwnerApplication DataMalwarebytes
2009-12-23 21:24 . 2009-12-04 00:14 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2009-12-23 21:24 . 2009-12-23 21:24 -------- d-----w- c:program filesMalwarebytes' Anti-Malware
2009-12-23 21:24 . 2009-12-23 21:24 -------- d-----w- c:documents and settingsAll UsersApplication DataMalwarebytes
2009-12-23 21:24 . 2009-12-04 00:13 19160 ----a-w- c:windowssystem32driversmbam.sys
2009-12-23 21:02 . 2009-12-23 21:02 -------- d-----w- c:documents and settingsOwnerApplication Dataacccore
2009-12-23 21:02 . 2009-12-23 21:03 -------- d-----w- c:documents and settingsOwnerLocal SettingsApplication DataAIM
2009-12-23 21:02 . 2009-12-23 21:02 -------- d-----w- c:documents and settingsOwnerLocal SettingsApplication DataAOL
2009-12-23 21:02 . 2009-12-23 21:02 -------- d-----w- c:documents and settingsAll UsersApplication DataAIM
2009-12-23 21:01 . 2009-12-23 21:02 -------- d-----w- c:program filesAIM
2009-12-23 21:01 . 2009-12-23 21:01 -------- d-----w- c:program filesCommon FilesSoftware Update Utility

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 06:56 . 2009-12-24 05:56 -------- d-----w- c:program filesCommon FilesInstallShield
2009-12-24 06:13 . 2009-12-24 06:13 -------- d-----w- c:documents and settingsOwnerApplication DataYou've Got Pictures Screensaver
2009-12-24 06:13 . 2009-12-24 06:13 -------- d-----w- c:program filesCommon FilesNullsoft
2009-12-24 06:13 . 2009-12-24 06:13 -------- d-----w- c:program filesQuickTime
2009-12-24 06:13 . 2009-12-24 06:13 -------- d-----w- c:documents and settingsAll UsersApplication DataQuickTime
2009-12-24 06:13 . 2009-12-24 06:13 8552 ----a-w- c:windowssystem32driversasctrm.sys
2009-12-24 06:13 . 2009-12-24 06:13 -------- d-----w- c:program filesCommon FilesReal
2009-12-24 06:13 . 2009-12-24 06:13 -------- d-----w- c:program filesReal
2009-12-24 06:13 . 2009-12-24 06:13 -------- d-----w- c:documents and settingsAll UsersApplication DataViewpoint
2009-12-24 06:13 . 2009-12-24 06:13 -------- d-----w- c:program filesViewpoint
2009-12-24 06:13 . 2009-12-24 06:13 -------- d-----w- c:documents and settingsAll UsersApplication DataPure Networks
2009-12-24 05:56 . 2009-12-24 05:56 -------- d-----w- c:program filesDigital Media Reader
2009-12-24 05:21 . 2004-08-26 18:04 -------- d-----w- c:program filesmicrosoft frontpage
2009-12-24 01:50 . 2009-12-24 01:50 0 ---ha-w- c:windowssystem32driversMsft_Kernel_NuidFltr_01005.Wdf
2009-12-24 01:50 . 2009-12-24 01:50 0 ---ha-w- c:windowssystem32driversMsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-10-29 05:48 . 2006-06-17 21:06 662016 ----a-w- c:windowssystem32wininet.dll
2009-10-21 06:00 . 2006-06-17 21:06 75776 ----a-w- c:windowssystem32strmfilt.dll
2009-10-21 06:00 . 2006-06-17 21:03 25088 ----a-w- c:windowssystem32httpapi.dll
2009-10-20 14:58 . 2006-06-17 21:03 263552 ----a-w- c:windowssystem32drivershttp.sys
2009-10-13 10:53 . 2006-06-17 21:05 266752 ----a-w- c:windowssystem32oakley.dll
2009-10-12 13:54 . 2006-06-17 21:05 69632 ----a-w- c:windowssystem32raschap.dll
2009-10-12 13:54 . 2006-06-17 21:05 112128 ----a-w- c:windowssystem32rastls.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"MSMSGS"="c:program filesMessengermsmsgs.exe" [2004-08-04 1667584]
"Aim"="c:program filesAIMaim.exe" [2009-12-01 3951976]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"SunKistEM"="c:program filesDigital Media Readershwiconem.exe" [2004-11-15 135168]
"IgfxTray"="c:windowssystem32igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:windowssystem32hkcmd.exe" [2004-08-20 118784]
"RemoteControl"="c:program filesCyberLinkPowerDVDPDVDServ.exe" [2004-11-03 32768]
"Recguard"="c:windowsSMINSTRECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:windowsCreatorRemind_XP.exe" [2005-03-15 966656]
"egui"="c:program filesESETESET Smart Securityegui.exe" [2009-09-11 2054360]
"GrooveMonitor"="c:program filesMicrosoft OfficeOffice12GrooveMonitor.exe" [2006-10-27 31016]

c:documents and settingsAll UsersStart MenuProgramsStartup
Adobe Reader Speed Launch.lnk - c:program filesAdobeAcrobat 7.0Readerreader_sl.exe [2004-12-14 29696]
BigFix.lnk - c:program filesBigFixBigFix.exe [2009-12-23 1742384]
Install Pending Files.LNK - c:program filesSIFXINSTSIFXINST.EXE [2009-12-23 729088]

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"=
"c:Program FilesCommon FilesAOLLoaderaolload.exe"=
"c:Program FilesAIMaim.exe"=
"c:Program FilesMicrosoft OfficeOffice12OUTLOOK.EXE"=
"c:Program FilesMicrosoft OfficeOffice12GROOVE.EXE"=
"c:Program FilesMicrosoft OfficeOffice12ONENOTE.EXE"=

R1 ehdrv;ehdrv;c:windowssystem32driversehdrv.sys [9/11/2009 7:23 AM 108792]
R2 ekrn;ESET Service;c:program filesESETESET Smart Securityekrn.exe [9/11/2009 7:24 AM 735960]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.emachines.com/
IE: E&xport to Microsoft Excel - c:progra~1MICROS~2Office12EXCEL.EXE/3000
FF - ProfilePath - c:documents and settingsOwnerApplication DataMozillaFirefoxProfilesmieko160.default
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:program filesJavajre1.5.0_02binNPJava11.dll
FF - plugin: c:program filesJavajre1.5.0_02binNPJava12.dll
FF - plugin: c:program filesJavajre1.5.0_02binNPJava13.dll
FF - plugin: c:program filesJavajre1.5.0_02binNPJava14.dll
FF - plugin: c:program filesJavajre1.5.0_02binNPJava32.dll
FF - plugin: c:program filesJavajre1.5.0_02binNPJPI150_02.dll
FF - plugin: c:program filesJavajre1.5.0_02binNPOJI610.dll
FF - plugin: c:program filesMozilla Firefoxpluginsnpdnupdater2.dll
FF - plugin: c:program filesViewpointViewpoint Experience TechnologynpViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.
- - - - ORPHANS REMOVED - - - -

AddRemove-QuickTime - c:windowsunvise32qt.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-24 08:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-12-24 08:16:41
ComboFix-quarantined-files.txt 2009-12-24 16:16

Pre-Run: 44,327,084,032 bytes free
Post-Run: 44,302,667,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 4C4D002C4E1E81B8F2F3584005D543F2



I've also tried the
ESET Mebroot Remover

and it found nothing.





SmitfraudFix LOG

SmitFraudFix v2.424

Scan done at 8:43:04.62, Thu 12/24/2009
Run from C:Documents and SettingsOwnerDesktopSmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSExplorer.EXE
C:Documents and SettingsOwnerDesktopSmitfraudFixPolicies.exe
C:WINDOWSsystem32cmd.exe

hosts


C:


C:WINDOWS


C:WINDOWSsystem


C:WINDOWSWeb


C:WINDOWSsystem32


C:Documents and SettingsOwner


C:DOCUME~1OwnerLOCALS~1Temp


C:Documents and SettingsOwnerApplication Data


Start Menu


C:DOCUME~1OwnerFAVORI~1


Desktop


C:Program Files

C:Program FilesGooglegoogletoolbar1.dll FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDesktopComponents0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows]


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
"Userinit"="C:WINDOWSsystem32userinit.exe,"

RK

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
"System"=""




DNS

HKLMSYSTEMCCSServicesTcpip..{BA516439-4D95-4DA5-987C-AA2D0D8864BB}: DhcpNameServer=65.32.5.111 65.32.5.112
HKLMSYSTEMCS1ServicesTcpip..{BA516439-4D95-4DA5-987C-AA2D0D8864BB}: DhcpNameServer=65.32.5.111 65.32.5.112
HKLMSYSTEMCS2ServicesTcpip..{BA516439-4D95-4DA5-987C-AA2D0D8864BB}: DhcpNameServer=65.32.5.111 65.32.5.112
HKLMSYSTEMCCSServicesTcpipParameters: DhcpNameServer=65.32.5.111 65.32.5.112
HKLMSYSTEMCS1ServicesTcpipParameters: DhcpNameServer=65.32.5.111 65.32.5.112
HKLMSYSTEMCS2ServicesTcpipParameters: DhcpNameServer=65.32.5.111 65.32.5.112


Scanning for wininet.dll infection


End


Merged posts. ~ OB

Edited by Orange Blossom, 25 December 2009 - 02:48 AM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 26 December 2009 - 01:17 AM

Posted Image GMER Rootkit Scanner - Download - Homepage
Why? Rootkits can generally be removed effectively, but they need to be removed before other malware can be cleaned, and they sometimes interfere with some of the tools we use. If you start a new topic, please include the GMER log as an initial check for the presence of rootkits:
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe.
    Posted Image
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
Posted Image
Click the image to enlarge it
[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
[*]Save the log where you can easily find it, such as your desktop.
[/list]**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.




Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 JustcallmeRey

JustcallmeRey
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 26 December 2009 - 07:25 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-26 07:24:05
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxldqpod.sys


---- System - GMER 1.0.15 ----

SSDT 82AE18A0 ZwAssignProcessToJobObject
SSDT 82AE0CB0 ZwOpenProcess
SSDT 82AE10D0 ZwOpenThread
SSDT 82AE16D0 ZwSuspendProcess
SSDT 82AE14F0 ZwSuspendThread
SSDT 82AE0EE0 ZwTerminateProcess
SSDT 82AE1310 ZwTerminateThread

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:492] 82ADF930

---- EOF - GMER 1.0.15 ----


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 26 December 2009 - 07:34 PM

Erm.. can you attach the external drive to the computer and then do another scan with GMER? This time just tick all options available (but don't tick "Show All")

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 JustcallmeRey

JustcallmeRey
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 27 December 2009 - 02:38 AM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-26 14:35:20
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxldqpod.sys


---- System - GMER 1.0.15 ----

SSDT 82AC98A0 ZwAssignProcessToJobObject
SSDT 82AC8CB0 ZwOpenProcess
SSDT 82AC90D0 ZwOpenThread
SSDT 82AC96D0 ZwSuspendProcess
SSDT 82AC94F0 ZwSuspendThread
SSDT 82AC8EE0 ZwTerminateProcess
SSDT 82AC9310 ZwTerminateThread

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF7C9A300]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[468] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:496] 82AC7930

---- EOF - GMER 1.0.15 ----


My computer turned off when I was scanning, because the power in my room went off for a second, when windows started I got the notice again when the external hard drive was plugged in, I only get that message when the external is plugged in.

Edited by JustcallmeRey, 27 December 2009 - 02:39 AM.


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 27 December 2009 - 02:43 AM

Does the external drive contains Windows?

Lets do this first (do it with your external drive plugged in)

copy/paste (not cut and paste) the mbr.exe that you saved on the Desktop to C:\WINDOWS folder..

Then, go to Start >> Run >> copy/paste below >> Press Enter

mbr -f

Then a logfile (mbr.log) will be created on your screen (find it at C:\Windows\mbr.log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 JustcallmeRey

JustcallmeRey
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 27 December 2009 - 02:48 AM

No the external is just a storage.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !



#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 27 December 2009 - 02:54 AM

Hello, please reboot your computer into Recovery Console mode.. Refer picture below

Posted Image

Please look for above screen carefully, it will only open for two seconds before Windows loading.

Use your keyboard arrows and choose Microsoft Windows Recovery Console >> then hit Enter

You'll then got below screen

Posted Image

The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press Enter.

It will then prompt you for the Administrator's password. If there is no password, simply press Enter. Otherwise type in the password and then press enter. If you do not know your password then see this.

Upon C:\WINDOWS> directory, type below and press Enter (make sure you type it right..)

fixmbr

After that, type Exit and press Enter.. Reboot your computer and tell me how it goes.. Remember to do everything with the external drives attached to the computer

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 JustcallmeRey

JustcallmeRey
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 27 December 2009 - 03:03 AM

Question how do I get to the first image, because I use a emachine recovery disk that came with my computer?

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 27 December 2009 - 03:35 AM

The ComboFix already installed Recovery Console for you.. When you reboot the machine, you'll got below screen for two seconds.. You must manually choose "Microsoft Windows Recovery Console" option via your keyboard arrows and press Enter

Posted Image


After that proceed with the rest of the instruction

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 JustcallmeRey

JustcallmeRey
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 27 December 2009 - 03:46 AM

I don't get that option, it says emachine recovery then after 10 seconds for 2 seconds it says start recovery now press f11, but that just took me to emachine recovery.

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 27 December 2009 - 04:38 AM

No, we don't want that..


Go to below link and download MBRFix

http://www.sysint.no/en/Download.aspx

Save and unzip them to your Desktop.. Then open the mbrfix folder, copy both mbrfix.exe and mbrfix64.exe to your root C drive..

Then go to Start >> Run >> copy/paste below >> Enter

C:\MbrFix.exe /drive 0 fixmbr /yes


Or, alternatively you can go to cmd command (Start >> Run >> cmd >> enter) and then type cd\ and then press Enter

Upon C:\> type MbrFix /drive 0 fixmbr /yes and then press Enter...

Reboot your computer.. Run mbr.exe again and post the log here

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 JustcallmeRey

JustcallmeRey
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 27 December 2009 - 12:43 PM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !


Any special folder in C drive I was suppose to drop that in?

#14 JustcallmeRey

JustcallmeRey
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 27 December 2009 - 11:54 PM

I ran a scan on my external HD alone and it tells me that's where the infection is, I scanned the whole computer and I don't get it anywhere else, so what I'm trying to say is, if I just get rid of the external HD would that solve my issue? This is where it is located K:\64a6a49f6c9b303eb97c9dc521\Thumbs.db - error opening I tried deleting that folder and it wont budge. I am asking this because when I reformatted my computer prior to finding out I had this virus in the first place I had no problem, I ran scans and I had nothing showing up, I've restarted my computer like 2 times, nothing came up until I plugged in my external hard drive and started my computer and I got the alert, now when I don't connect the external I don't get the message upon a restart, I left it plugged in since the day you told me. When I ran the scan it picked it up not even in a second, so if I just trash my external HD am I in the clear?

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 28 December 2009 - 07:32 AM

First, can you reformat the external hard disk first?

Any special folder in C drive I was suppose to drop that in?


No, just put those files directly into C:\ drive

But, the first thing I will suggest is to reformat the external drive first.. Make sure its empty.. If after reformat you still see the "K:\64a6a49f6c9b303eb97c9dc521\Thumbs.db" file please tell me :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users