Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have a new computer, afraid to transfer files from infected computer.


  • Please log in to reply
21 replies to this topic

#1 ErinC

ErinC

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 10 August 2010 - 10:49 PM

I've been having trouble with a malware of some sort (infomoneyserv or something like that) for several months now. Each time I think it's gone, it just comes back again and I figure it out when I go to reopen Firefox and get the restore error message and see 5 windows (that weren't open when I closed FF, at least not visible to me) with Infomoneyserv/blank or something of the sort in the address field. When I look in the history of the FF, there are LOTS of sites I haven't opened and haven't seen open.

I was due for a computer upgrade anyway, so bought one. My problem is I'm afraid to transfer any the files I want to save from this computer to the new one because nothing seems to be able to find the malware, trojan, virus, or whatever this is. I have run several anti adware programs, had Norton and ran that, uninstalled it and installed AVG antivirus and did a full scan with nothing found. It seems SO FAR only to have affected Firefox. IE does not seem to open things in the background, but at this moment there's a process called "SYSTEM" at 102,256K running, which doesn't seem right.

A new symptom that started today is that the MS Help and Support Center window keeps opening today with the message "Cannot display the page The page you are trying to view has an incorrect address and cannot be displayed. Please try another page. " I don't think I'm doing anything to trigger it.

What can I do to be sure that any files I transfer to the new computer aren't going to infect it?

Thanks in advance for your help!

Edited to Add: I uninstalled AVG (fixed the SYSTEM resource issue) and installed the Microsoft Security Essentials and ran that. It found 5 Java exploits and SO FAR I only see index.php in the history in Firefox other than the pages I opened to get here. I'm not sure if index.php is safe or not, but it opened 3 times and I do not see it in the history yesterday when it was opening so many other sites in the background. FF RAM usage seems normal so far, not slowly climbing as it was doing prior to the Java exploits being found. Here is the info on one of the exploits found (others are similar):

Exploit:JAVA/CVE-2008-5353.DB

Category: Exploit

Description: This program is dangerous and exploits the computer on which it is run.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
containerfile:C:\Documents and Settings\Erin\Application Data\Sun\Java\Deployment\cache\6.0\3\4e84bf83-2e6c754a
file:C:\Documents and Settings\Erin\Application Data\Sun\Java\Deployment\cache\6.0\3\4e84bf83-2e6c754a->gogol/Familie.class

Edited by ErinC, 11 August 2010 - 09:03 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:15 AM

Posted 11 August 2010 - 09:49 AM

If your computer has been infected with malware and you need to back up data to transfer to another computer, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. If you're going to use a cloud backup, use one that provides strong encryption, includes versioning and does not utilize a drive letter. If you're going to use an external hard drive, you should back up your personal files separately from programs and applications.

The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), (*.pdf), dynamic link library (*.dll), .ini, .bat, .com, .cmd, .msi, .pif, or script files (.php, .asp, .htm, .html, .xml) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding the file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions.If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions with your personal data files: .exe, .scr, .pdf, .bat, .com, .cmd, .msi, .pif, .ini, .htm, .html, .hta, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ErinC

ErinC
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 14 August 2010 - 12:27 PM

Would it be possible for you to help me clean the computer? I did download Microsoft Essentials and it found the 5 Java exploits, which seemed to fix the problem with random urls in the browser history, but then it came back today. I can't use the new computer for work because it's got Windows 7, which is not compatible with their software. So, I will still need to use this one for work. Another symptom is eBay login redirecting to a phishing site.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:15 AM

Posted 14 August 2010 - 02:00 PM

It's possible that you have an infected Master Boot Record (MBR) so lets check it to be sure.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your Desktop. <-Important!!!Link 1
Link 2
Link 3
  • Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
  • Copy and paste the contents of that log in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 ErinC

ErinC
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 14 August 2010 - 03:11 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 125):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7B0A000 \WINDOWS\system32\KDCOM.DLL
0xF7A1A000 \WINDOWS\system32\BOOTVID.dll
0xF74DB000 ACPI.sys
0xF7B0C000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74CA000 pci.sys
0xF760A000 isapnp.sys
0xF7BD2000 pciide.sys
0xF788A000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF761A000 MountMgr.sys
0xF74AB000 ftdisk.sys
0xF7892000 PartMgr.sys
0xF762A000 VolSnap.sys
0xF7493000 atapi.sys
0xF763A000 SiSRaid.sys
0xF747B000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF764A000 disk.sys
0xF765A000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF745B000 fltmgr.sys
0xF7449000 sr.sys
0xF766A000 PxHelp20.sys
0xF7432000 KSecDD.sys
0xF741F000 WudfPf.sys
0xF7392000 Ntfs.sys
0xF7365000 NDIS.sys
0xF789A000 sisidex.sys
0xF767A000 SISAGPX.sys
0xF734B000 Mup.sys
0xF6D03000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6C79000 \SystemRoot\system32\DRIVERS\sisgrp.sys
0xF6C65000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6CF3000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF6CE3000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76AA000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6C42000 \SystemRoot\system32\DRIVERS\ks.sys
0xF78EA000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF686B000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF6847000 \SystemRoot\system32\drivers\portcls.sys
0xF76BA000 \SystemRoot\system32\drivers\drmk.sys
0xF78F2000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6823000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF78FA000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF67CC000 \SystemRoot\system32\DRIVERS\RT61.sys
0xF76CA000 \SystemRoot\system32\drivers\es1371mp.sys
0xF76DA000 \SystemRoot\system32\DRIVERS\serial.sys
0xF6CDF000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF67B8000 \SystemRoot\system32\DRIVERS\parport.sys
0xF67A1000 \SystemRoot\System32\Drivers\ezplay.sys
0xF7D55000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7B72000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF7902000 \SystemRoot\System32\Drivers\Modem.SYS
0xF76EA000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6CDB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF678A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76FA000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF770A000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF790A000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6779000 \SystemRoot\system32\DRIVERS\psched.sys
0xF771A000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7912000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF791A000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF772A000 \SystemRoot\System32\Drivers\pcouffin.sys
0xF773A000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7922000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF792A000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7B74000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF671B000 \SystemRoot\system32\DRIVERS\update.sys
0xF6CCB000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF66E0000 \SystemRoot\system32\DRIVERS\NWADIenum.sys
0xF775A000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF776A000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B76000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7ABA000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xF160C000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xF7B78000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C78000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B7A000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7952000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF795A000 \SystemRoot\System32\drivers\vga.sys
0xF7B7C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B7E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7962000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF796A000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7AD2000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF15D9000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF1580000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF1558000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF1536000 \SystemRoot\System32\drivers\afd.sys
0xF7ADA000 \SystemRoot\system32\DRIVERS\srvkp.sys
0xF1515000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF7972000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF14EA000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF147A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF778A000 \SystemRoot\System32\Drivers\Fips.SYS
0xF1454000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF779A000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF13CE000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xF7B02000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF77BA000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF77CA000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF797A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7982000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xF77DA000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF12B3000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xF7327000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF798A000 \SystemRoot\system32\DRIVERS\point32.sys
0xF731F000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7307000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7992000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7CBF000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\SiSGRV.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF1133000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF0D56000 \SystemRoot\system32\drivers\wdmaud.sys
0xF6D43000 \SystemRoot\system32\drivers\sysaudio.sys
0xF0B5E000 \??\C:\WINDOWS\system32\Drivers\LxrSII1d.sys
0xF0FCB000 \??\C:\Program Files\NavNT\NAVAPEL.SYS
0xF78DA000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xF077B000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xF073A000 \SystemRoot\System32\Drivers\HTTP.sys
0xF011F000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
312 C:\WINDOWS\system32\smss.exe
360 csrss.exe
388 C:\WINDOWS\system32\winlogon.exe
432 C:\WINDOWS\system32\services.exe
444 C:\WINDOWS\system32\lsass.exe
592 C:\WINDOWS\system32\svchost.exe
652 svchost.exe
688 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
728 C:\WINDOWS\system32\svchost.exe
768 C:\WINDOWS\system32\svchost.exe
1052 svchost.exe
1080 C:\WINDOWS\explorer.exe
1296 C:\WINDOWS\system32\spoolsv.exe
1448 svchost.exe
1464 C:\WINDOWS\system32\CSHelper.exe
1492 C:\Program Files\NavNT\defwatch.exe
1512 C:\Program Files\DriveHQ\DriveHQ FileManager\DHQFMSvc.exe
1596 C:\Program Files\Java\jre6\bin\jqs.exe
1648 C:\WINDOWS\system32\LxrSII1s.exe
1680 C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
1696 C:\WINDOWS\system32\svchost.exe
448 C:\Program Files\Canon\CAL\CALMAIN.exe
908 alg.exe
548 svchost.exe
2228 C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
2252 C:\WINDOWS\system32\rundll32.exe
2276 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
2296 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
2304 C:\Program Files\Microsoft IntelliType Pro\itype.exe
2324 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
2344 C:\Program Files\Microsoft Security Essentials\msseces.exe
2356 C:\Program Files\CuteReminder\CuteReminder.exe
3440 C:\WINDOWS\system32\wuauclt.exe
1968 C:\Program Files\Outlook Express\msimn.exe
2788 C:\WINDOWS\system32\ctfmon.exe
1672 C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
3020 C:\Program Files\Mozilla Firefox\firefox.exe
3224 C:\WINDOWS\system32\wuauclt.exe
2812 wmiprvse.exe
1856 C:\Documents and Settings\Erin\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGSP1644N, Rev: BV100-45

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked (known infection: Whistler / Black Internet)!
SHA1: 4C73F18103C9BEEC7A59697F7C30E616317435F9


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:15 AM

Posted 14 August 2010 - 04:17 PM

I can't use the new computer for work because it's got Windows 7,

This log shows the computer is Windows XP SP3, not Windows 7. Please confirm.

The log also indicates you have an infected Master Boot Record (MBR). To learn more about this infection please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 ErinC

ErinC
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 14 August 2010 - 06:26 PM

The computer we are fixing is XP. The new computer I want to transfer files from this XP computer is W7. So, I want to rid it of any sort of malware before transferring files so I don't infect the new computer, but I also still need to use this XP for work, so it needs to be clean for that as well. Sorry to confuse you.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:15 AM

Posted 14 August 2010 - 09:02 PM

Rerun MBRCheck.exe again by double-clicking on it. Vista/Windows 7 users right-click and select Run As Administrator.
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Enter 'Y' and then press Enter.
  • When asked: 'Enter your choice:', select option [2] (Restore the MBR of a physical disk with a standard boot code) and press the Enter key.
  • Now the program will ask: 'Enter the physical disk number to fix (0-99, -1 to cancel)'
  • Enter [0] (for PhysicalDrive0) and press the Enter key.
  • The program will show Available MBR codes followed by a list of operating systems as shown below.

    Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel
    Please select the MBR code to write to this drive:

  • Please select your version of Windows from the list and enter the corresponding number (For example, type 0 or 1 for XP, type 3 for Vista, type 5 for Windows 7, etc) and then press Enter. Be careful...if the wrong OS is used, it will render the computer unbootable.
  • When prompted for confirmation: 'Do you want to fix the MBR code?'. Type the full word Yes (not Y or the fix will not work) and press Enter.
  • Left-click on the title bar (where program name and path is written).
  • From the menu chose Edit -> Select All.
  • Press the Enter key on your keyboard to copy selected text.
  • Open Notepad, paste that text into it and save to your desktop as MBRCheck.txt.
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • Reboot your computer to complete the fix and copy/paste MBRCheck.txt in your next reply.
  • If your computer does not restart on its own, please restart it manually.
After rebooting, rerun MBRCheck.exe once more by double-clicking on it (do not run any options).
  • It will open a black screen with some data on it and continue to run.
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A new log named MBRCheck_date_time.txt will appear on the desktop.
  • Do not get this log confused with any previous logs (check the date and time if unsure).
  • Copy and paste the contents of that log in your next reply.
Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console (XP) or Recovery Environment (Vista, Windows 7) in case of any problems, or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 ErinC

ErinC
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 15 August 2010 - 12:33 PM

As soon as I did the fix, MSE popped up a warning (below). I did not do anything to remove this, as I see it's a backup file for MBRcheck. I am restarting now, but wanted to paste this before I did in case it disappears.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
file:C:\Documents and Settings\Erin\Desktop\MBRCheck_MBR_Backup_08-15-10_11-28-30.bak

Get more information about this item online.

#10 ErinC

ErinC
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 15 August 2010 - 12:41 PM

MBRcheck.txt:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked (known infection: Whistler / Bla
ck Internet)!
SHA1: 4C73F18103C9BEEC7A59697F7C30E616317435F9


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 0
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!
Press ENTER to exit...

#11 ErinC

ErinC
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 15 August 2010 - 12:42 PM

Report after reboot:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 124):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7B0A000 \WINDOWS\system32\KDCOM.DLL
0xF7A1A000 \WINDOWS\system32\BOOTVID.dll
0xF74DB000 ACPI.sys
0xF7B0C000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74CA000 pci.sys
0xF760A000 isapnp.sys
0xF7BD2000 pciide.sys
0xF788A000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF761A000 MountMgr.sys
0xF74AB000 ftdisk.sys
0xF7892000 PartMgr.sys
0xF762A000 VolSnap.sys
0xF7493000 atapi.sys
0xF763A000 SiSRaid.sys
0xF747B000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF764A000 disk.sys
0xF765A000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF745B000 fltmgr.sys
0xF7449000 sr.sys
0xF766A000 PxHelp20.sys
0xF7432000 KSecDD.sys
0xF741F000 WudfPf.sys
0xF7392000 Ntfs.sys
0xF7365000 NDIS.sys
0xF789A000 sisidex.sys
0xF767A000 SISAGPX.sys
0xF734B000 Mup.sys
0xF782A000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6C67000 \SystemRoot\system32\DRIVERS\sisgrp.sys
0xF6C53000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF783A000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF784A000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF785A000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6C30000 \SystemRoot\system32\DRIVERS\ks.sys
0xF78BA000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF6859000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF6835000 \SystemRoot\system32\drivers\portcls.sys
0xF786A000 \SystemRoot\system32\drivers\drmk.sys
0xF78C2000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6811000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF78CA000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF67BA000 \SystemRoot\system32\DRIVERS\RT61.sys
0xF787A000 \SystemRoot\system32\drivers\es1371mp.sys
0xF76AA000 \SystemRoot\system32\DRIVERS\serial.sys
0xF6D75000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF67A6000 \SystemRoot\system32\DRIVERS\parport.sys
0xF678F000 \SystemRoot\System32\Drivers\ezplay.sys
0xF7CC3000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7B64000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF78D2000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6D39000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6D71000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6778000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF6D29000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF6D19000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78DA000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6767000 \SystemRoot\system32\DRIVERS\psched.sys
0xF6D09000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78E2000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78EA000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6CF9000 \SystemRoot\System32\Drivers\pcouffin.sys
0xF6CE9000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF78F2000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF78FA000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7B66000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6709000 \SystemRoot\system32\DRIVERS\update.sys
0xF6D61000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF66CE000 \SystemRoot\system32\DRIVERS\NWADIenum.sys
0xF6CC9000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF6CB9000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B68000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7AC2000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xF15FA000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xF7B6A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7D11000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B6C000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7922000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF792A000 \SystemRoot\System32\drivers\vga.sys
0xF7B6E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B70000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7932000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF793A000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7ADE000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF15C7000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF156E000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF1546000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF1524000 \SystemRoot\System32\drivers\afd.sys
0xF7AE2000 \SystemRoot\system32\DRIVERS\srvkp.sys
0xF1503000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF7942000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF14D8000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF1468000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76BA000 \SystemRoot\System32\Drivers\Fips.SYS
0xF140A000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xF13E4000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF76CA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7B02000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF76DA000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF794A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7952000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xF76EA000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF1341000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xF7B06000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF795A000 \SystemRoot\system32\DRIVERS\point32.sys
0xF7323000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF770A000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6D81000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7962000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C6F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\SiSGRV.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF1111000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF0D44000 \SystemRoot\system32\drivers\wdmaud.sys
0xF0E19000 \SystemRoot\system32\drivers\sysaudio.sys
0xF0C44000 \??\C:\WINDOWS\system32\Drivers\LxrSII1d.sys
0xF0E49000 \??\C:\Program Files\NavNT\NAVAPEL.SYS
0xF7A0A000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xF0791000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xF0750000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 39):
0 System Idle Process
4 System
320 C:\WINDOWS\system32\smss.exe
372 csrss.exe
396 C:\WINDOWS\system32\winlogon.exe
440 C:\WINDOWS\system32\services.exe
452 C:\WINDOWS\system32\lsass.exe
600 C:\WINDOWS\system32\svchost.exe
656 svchost.exe
696 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
732 C:\WINDOWS\system32\svchost.exe
772 C:\WINDOWS\system32\svchost.exe
1072 svchost.exe
1124 C:\WINDOWS\explorer.exe
1248 C:\WINDOWS\system32\spoolsv.exe
1412 svchost.exe
1432 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1484 C:\WINDOWS\system32\CSHelper.exe
1500 C:\Program Files\NavNT\defwatch.exe
1524 C:\Program Files\DriveHQ\DriveHQ FileManager\DHQFMSvc.exe
1556 C:\Program Files\Java\jre6\bin\jqs.exe
1616 C:\WINDOWS\system32\LxrSII1s.exe
1656 C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
1680 C:\WINDOWS\system32\svchost.exe
1924 C:\WINDOWS\system32\wuauclt.exe
2012 C:\Program Files\Canon\CAL\CALMAIN.exe
632 alg.exe
976 C:\Program Files\F-Group\Absolute StartUp\ASMon.exe
1012 C:\WINDOWS\system32\rundll32.exe
1028 svchost.exe
1036 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
1428 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
1520 C:\Program Files\Microsoft IntelliType Pro\itype.exe
1596 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
1628 C:\Program Files\Microsoft Security Essentials\msseces.exe
1648 C:\Program Files\CuteReminder\CuteReminder.exe
2084 C:\Documents and Settings\Erin\Application Data\Dropbox\bin\Dropbox.exe
3396 MpCmdRun.exe
3716 C:\Documents and Settings\Erin\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGSP1644N, Rev: BV100-45

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked (known infection: Whistler / Black Internet)!
SHA1: 4C73F18103C9BEEC7A59697F7C30E616317435F9


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:15 AM

Posted 15 August 2010 - 01:29 PM

Your log indicates the fix did not work. It's possible MSE interferred even though you took no action so lets try another tool.

Please download bootkit_remover.rar and save it to your Desktop. <-Important!!!

You will need to extract the remover.exe file using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can downlaod, install and use 7-zip.
  • Right-click on the bootkit_remover.rar file and select "extract/unzip here".
  • This will create two readme files and a file named remover.exe on your desktop.
  • Double-click on remover.exe.
    Note: Vista/Windows 7 users right-click and select Run As Administrator.
  • A command window will open with a black screen and some data on it.
  • Right-click on the screen and choose Select All.
  • The screen will turn white. Press CTRL+C to copy the data on that screen.
  • Open Notepad and press CTRL+V, or click on the Edit tab and choose Paste.
  • Copy and paste the output from Notepad in your next reply.
  • Clcik on the black screen and Press any key on the keyboard to exit.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 ErinC

ErinC
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 16 August 2010 - 08:34 AM

Bootkit Remover
© 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:15 AM

Posted 16 August 2010 - 09:26 AM

MBRCheck is usually able to restore the MBR but in some circumstances it may fail. I suspect the same result if you use bootkit_remover to attempt the fix.

I recommend you install the XP Recovery Console and repair it from there with the 'fixmbr' command.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 ErinC

ErinC
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 16 August 2010 - 02:20 PM

It isn't recognizing my disk...or any disk. I've used this drive within the last month and it worked fine. Could this root kit have affected the cd drive?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users