Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Infected with iexplore virus & perhaps others


  • This topic is locked This topic is locked
43 replies to this topic

#1 spodekmodek

spodekmodek

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 15 August 2010 - 09:07 AM

Hi Folks-
As mentioned in the title, I have the Iexplore virus at the very minimum. I have engaged with a very nice knowledgeable person who offered to help me on line. His efforts were great but he just wasnt able to eradicate it from my computer. In the course of our correspondence he had me try many tools, Avast, Kaspersky, Sophos, etes, Malawarebytes, Combofix etc. They would detect various viruses & malware. Most they were able to quarantine but obviously the iexplore virus remains. His conclusion was that the virus is probably on the rootkit of my external hard drive which no programs could seem to remove.

We unplugged the external hard drive but still the virus remained on my computer. Ive attached the lion's share of our correspondence. Almost all of it is his answers which sum up our attempts.

Thanks so much for your help.

Steve F.


DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 22:07:14.90 on Sat 08/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.457 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

svchost.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe 4
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Documents and Settings\User\Local Settings\Application Data\CrossLoop\CrossLoopService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\program files\adobe\Acrobat_com\Acrobat_com.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://nyc.rr.com/
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [SunJavaUpdateSched] c:\program files\common files\java\java update\jusched.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} - hxxp://limo.elliman.com/XMLSearch/XMLCache.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: klogon - c:\windows\system32\klogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\r265h3o8.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\r265h3o8.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-7-31 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-7-31 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-7-31 243024]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-8-3 315408]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-31 308136]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\user\local settings\application data\crossloop\CrossLoopService.exe [2010-7-16 560792]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340456]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-3 38224]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\28a.tmp --> c:\windows\system32\28A.tmp [?]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-4-28 34760]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]
S3 uvnc_service;uvnc_service;c:\documents and settings\user\local settings\application data\crossloop\winvnc.exe [2010-7-16 1590216]

=============== Created Last 30 ================

2010-08-15 02:02:18 0 ----a-w- c:\documents and settings\user\defogger_reenable
2010-08-06 20:40:47 2175 ----a-w- c:\documents and settings\user\.recently-used.xbel
2010-08-03 18:44:53 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-08-03 18:44:53 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-08-03 18:43:28 0 d-----w- c:\program files\Kaspersky Lab
2010-08-03 18:41:55 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Kaspersky Lab Setup Files
2010-08-03 16:00:34 0 d-----w- c:\docume~1\user\applic~1\ElevatedDiagnostics
2010-07-31 17:49:19 0 d--h--w- C:\$AVG
2010-07-31 16:40:56 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-31 16:40:45 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-31 16:40:33 0 d-----w- c:\windows\system32\drivers\Avg
2010-07-31 16:40:21 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-31 16:40:14 0 d-----w- c:\program files\AVG
2010-07-31 16:40:14 0 d-----w- c:\docume~1\alluse~1.win\applic~1\avg9
2010-07-23 03:05:03 0 d-----w- c:\program files\Sophos
2010-07-21 13:13:30 0 d-----w- c:\program files\CCleaner

==================== Find3M ====================

2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-07 14:05:32 14904 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-20 01:54:36 161293 ----a-w- c:\windows\Expstudio Audio Editor FREE Uninstaller.exe
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 19:50:14 77296 ----a-w- c:\windows\hpqins05.dat
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-29 01:44:09 2 --shatr- c:\windows\winstart.bat
2005-07-14 16:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 19:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 02:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2005-09-11 02:28:46 573430 --sha-r- c:\windows\system32\smab.dll
2005-02-28 17:16:22 240128 --sha-r- c:\windows\system32\x.264.exe

============= FINISH: 22:08:05.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:43 AM

Posted 15 August 2010 - 05:09 PM

Good evening. smile.gif

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#3 spodekmodek

spodekmodek
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 16 August 2010 - 05:09 PM

Hi Noviciate
Thank you much for taking on my case. It's been a long slog trying to get this bug(s) out.

I ran MBRCHECK.exe and here are the results:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000fd

Kernel Drivers (total 128):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75F7000 klbg.sys
0xF7508000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74F7000 pci.sys
0xF7607000 isapnp.sys
0xF7707000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF7617000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF798D000 dmload.sys
0xF74B2000 dmio.sys
0xF770F000 PartMgr.sys
0xF7627000 VolSnap.sys
0xF749A000 atapi.sys
0xF7637000 disk.sys
0xF7647000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF747A000 fltmgr.sys
0xF7657000 PxHelp20.sys
0xF7463000 KSecDD.sys
0xF7B52000 Ntfs.sys
0xF7436000 NDIS.sys
0xF741C000 Mup.sys
0xF7667000 agp440.sys
0xF7697000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA50F000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xBA4FB000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF773F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xBA4D7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7747000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA3CA000 \SystemRoot\system32\DRIVERS\BCMSM.sys
0xBA3A7000 \SystemRoot\system32\DRIVERS\ks.sys
0xF775F000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA383000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF776F000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF777F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\klmouflt.sys
0xF778F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7933000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA347000 \SystemRoot\system32\DRIVERS\parport.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF75C6000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA2C1000 \SystemRoot\system32\drivers\smwdm.sys
0xBA29D000 \SystemRoot\system32\drivers\portcls.sys
0xF75B6000 \SystemRoot\system32\drivers\drmk.sys
0xF7991000 \SystemRoot\system32\drivers\aeaudio.sys
0xF75A6000 \SystemRoot\system32\DRIVERS\klim5.sys
0xF7A75000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7995000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF7596000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA7D8000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xBA1E6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7586000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7576000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA1D5000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7566000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77F7000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7556000 \SystemRoot\System32\Drivers\pcouffin.sys
0xF77FF000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xBA1A5000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7546000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF799B000 \SystemRoot\system32\DRIVERS\swenum.sys
0xBA147000 \SystemRoot\system32\DRIVERS\update.sys
0xBA7B4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7536000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA780000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79A5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF781F000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB8EAC000 \SystemRoot\system32\DRIVERS\klif.sys
0xF79AB000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7A94000 \SystemRoot\System32\Drivers\Null.SYS
0xF79AF000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7757000 \SystemRoot\System32\drivers\vga.sys
0xF79B3000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79B7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7777000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7797000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA36B000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB896C000 \??\C:\WINDOWS\system32\drivers\kl1.sys
0xB8959000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB88D8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB889E000 \SystemRoot\System32\Drivers\avgtdix.sys
0xB8878000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA750000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB8850000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB882E000 \SystemRoot\System32\drivers\afd.sys
0xBA740000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB8803000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA12F000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0xB8793000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA720000 \SystemRoot\System32\Drivers\Fips.SYS
0xF77C7000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB875F000 \SystemRoot\System32\Drivers\avgldx86.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF780F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBA700000 \SystemRoot\system32\DRIVERS\mxopswd.sys
0xBA123000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xB8F35000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xB8F25000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xBA28D000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xB9001000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xB8713000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB894D000 \SystemRoot\System32\drivers\Dxapi.sys
0xB8EFD000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A76000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xB698A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB66F5000 \SystemRoot\system32\drivers\wdmaud.sys
0xB678A000 \SystemRoot\system32\drivers\sysaudio.sys
0xBA710000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF79F9000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB6300000 \SystemRoot\system32\DRIVERS\srv.sys
0xB5E5F000 \SystemRoot\System32\Drivers\HTTP.sys
0xADA25000 \??\C:\DOCUME~1\User\LOCALS~1\Temp\pxtdapod.sys
0xA5555000 \SystemRoot\System32\Drivers\Udfs.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 46):
0 System Idle Process
4 System
952 C:\WINDOWS\system32\smss.exe
1016 csrss.exe
1040 C:\WINDOWS\system32\winlogon.exe
1084 C:\WINDOWS\system32\services.exe
1096 C:\WINDOWS\system32\lsass.exe
1256 C:\WINDOWS\system32\svchost.exe
1260 C:\WINDOWS\system32\svchost.exe
1404 C:\WINDOWS\system32\svchost.exe
1416 svchost.exe
1552 C:\WINDOWS\system32\svchost.exe
1608 svchost.exe
1772 C:\Program Files\AVG\AVG9\avgchsvx.exe
1780 C:\Program Files\AVG\AVG9\avgrsx.exe
1812 svchost.exe
1952 C:\WINDOWS\system32\spoolsv.exe
2040 C:\Program Files\AVG\AVG9\avgcsrvx.exe
372 svchost.exe
1856 C:\WINDOWS\explorer.exe
1760 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1716 C:\WINDOWS\system32\ctfmon.exe
1624 C:\Program Files\AVG\AVG9\avgwdsvc.exe
1496 C:\Documents and Settings\User\Local Settings\Application Data\CrossLoop\CrossLoopService.exe
1516 C:\Program Files\Java\jre6\bin\jqs.exe
2084 C:\Program Files\Maxtor\Sync\SyncServices.exe
2140 C:\Program Files\AVG\AVG9\avgnsx.exe
2404 C:\WINDOWS\system32\svchost.exe
2424 C:\WINDOWS\system32\svchost.exe
2500 C:\WINDOWS\system32\svchost.exe
2540 wdfmgr.exe
784 alg.exe
1316 C:\Program Files\Mozilla Firefox\firefox.exe
3900 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
2124 C:\Program Files\internet explorer\iexplore.exe
1372 C:\Program Files\internet explorer\iexplore.exe
3468 C:\Program Files\Adobe\Acrobat_com\Acrobat_com.exe
3872 C:\Program Files\internet explorer\iexplore.exe
1644 C:\WINDOWS\system32\svchost.exe
2056 C:\Program Files\Mozilla Firefox\plugin-container.exe
944 C:\Program Files\Messenger\msmsgs.exe
2808 C:\Program Files\Java\jre6\bin\java.exe
2120 C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
2152 C:\Program Files\Outlook Express\msimn.exe
5600 C:\Program Files\Java\jre6\bin\java.exe
1904 C:\Documents and Settings\User\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`01f60800 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD800BB-75CAA0, Rev: 16.06V16
PhysicalDrive1 Model Number: ST3250310AS, Rev: 3.AAA
PhysicalDrive2 Model Number: MaxtorOneTouch, Rev: 0125

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: F7F292C3147EE0FD169287009AD8323277D4A226
232 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: F7F292C3147EE0FD169287009AD8323277D4A226
298 GB \\.\PhysicalDrive2 RE: Unknown MBR code
SHA1: 5B9B74AA8A41E8676A3B6C4F52BB9007179BF067


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!


_____

I'm not sure if I'm unzipping the linked Preformat file correctly. I don't get an "extract all" when right clicking the folder so I have to go in and try to manually extract all. I do get a folder with a 1KB Preformat.VBS script and a 1KB text file. Double clicking on the Preformat VBS script took 1 second. Again, not sure if that is normal and that all the files are being extracted.
(I;m attempting to use ZipGenius) What is on the text file is attached below. Let me know if I have to try to extract the files differently.

Thanks Muchly!

Steve F.


Partition ID: Disk #1, Partition #0
Size: 232.88 GB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #0
Size: 31.35 MB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #1
Size: 74.47 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #2, Partition #0
Size: 298.09 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Dell Computer Corporation
Name: Phoenix ROM BIOS PLUS Version 1.10 A12
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #1, Partition #0
Size: 232.88 GB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #0
Size: 31.35 MB

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #0, Partition #1
Size: 74.47 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

Partition ID: Disk #2, Partition #0
Size: 298.09 GB

The computer boots from this partition.

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Dell Computer Corporation
Name: Phoenix ROM BIOS PLUS Version 1.10 A12
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:43 AM

Posted 17 August 2010 - 02:36 PM

Good evening. smile.gif

OK, the situation you find yourself in is as follows - Your hard drive has an area on it that is known as the Master Boot Record. The nasty that you have picked up has altered the MBR and ideally we would undo the changes to solve the problem.
Unfortunately it isn't quite as easy as typing this and the only option we have available is to replace your MBR with a standard one, which may not be the end of your problems. Different computer manufactures can have custom Master Boot Records and overwriting the infected MBR with a standard one may result in some of the Manufacturer installed options such as Factory Restore becoming disabled.
The worst-case scenario is that the PC becomes unbootable and you have what is in effect an expensive paperweight, which, although unlikely, needs to be mentioned. While this won't actually physically break anything and you can reinstall the Operating System from a disc, if you have one, the existing installation of Windows will be unusable.

If you can tell me the make and model of the PC, and whether you have a Windows installation/Recovery disc or not, I will try to find out if the fix is likely to cause issues with your computer.

I'd also like to know if you've installed a second or third hard drive and if so whether the machine dual boots - Preformat.txt seems to show three drives of which two are thought to be bootable, but you might have ghosted one drive which could partially explain the results.

So long, and thanks for all the fish.

 

 


#5 spodekmodek

spodekmodek
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 17 August 2010 - 09:31 PM

Hmm you do seem to know your stuff which is what makes what you said so sobering.
Being basically ignorant of how a computer works, I won't be much of a help to you.
What I know is that at a couple of points, an additional hard drive was installed in the computer and It sounds familiar that it was switched around to make a different drive the C. But I can't absolutely swear to it. But it sounds slightly familiar.

Right now the computer is showing a C drive, backup D drive and and external Maxtor drive, which the last fellow thought might be reinfecting the computer.

I don't know what dual booting means. Perhaps you can tell me how to test for it.
My computer is a Dell Dimension. The only discs I have are the "Dell Operating System reinstallation Cd, Dell Application CD(antivirus, support software, internet, mutimedia) and the Drivers & utilities CD.

Thanks for your kind attention Noviciate!


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:43 AM

Posted 18 August 2010 - 02:37 PM

Good evening. smile.gif

QUOTE
I won't be much of a help to you.

Things are progressing, so you are being helpful - give yourself an Hoorah if you like that sort of thing, or a small clap if you don't.

What I need you to confirm for me is the size of your C drive - if you right click it in My Computer and select Properties it will tell you there.

So long, and thanks for all the fish.

 

 


#7 spodekmodek

spodekmodek
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 18 August 2010 - 04:30 PM

Hi Noviciate
Rt clicking C drive shows 62 GB Total 11.8 Free
Rt Clicking D drive shows 222 GB total 175 Free

Thanks Noviciate


#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:43 AM

Posted 18 August 2010 - 05:46 PM

This linky has a guide to accessing XP's Disk Management utility. What I am interested in is Disk 0 on your PC and the first of the two partitions that I believe it has - it shows in Preformat as 31.35 MB in size.
I'm thinking that it is something Dell created and i'd like to know what you can tell me about it. If you look at the piccy in the link, disk 0's first partition is C: 5.00 GB NTFS Healthy (System) - i'd like you to post what yours is.

So long, and thanks for all the fish.

 

 


#9 spodekmodek

spodekmodek
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 18 August 2010 - 07:15 PM

Thanks for the timely reply Noviciate

okay
I opened up Disk management and...well it doesnt have quite the colorful display that i see in the demo. At the top of the display There is a Disc 0 Box. Next to it, it reads 74.47GB NFTS (healthy system) next to that is a small box with 31MB FAT(healthy)


By the way..on the top under "volume" it indicates that it's an un-named hardrive. (partitition-Basic-FAT) thats associated with the 31MB Box. When I click underneath to the C drive, the 74.47GB box is highlited.

Underneath Disc 0 is Disc 1 which reads 232.88GB

Do I know what this means......I should say not!

Thanks again Noviciate

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:43 AM

Posted 19 August 2010 - 02:42 PM

Good evening. smile.gif

Are we sitting comfortably? Then i'll begin...

As you have a DELL PC your computer is blessed with a custom MBR, which presents a teensy problem. This is that we cannot, with the tools available, undo the damage that has be caused by the malware that you have picked up. What we can do instead is to replace the infected MBR with a clean standard MBR.
The effect of this is to disable access to the Dell Utility Partition that is sat on the start of your hard drive. Given that I doubt that you were aware that you had it, I don't see that this will be a big loss, especially as you should be able to access the Diagnostics utility via one of the discs that DELL thoughtfully provided you with - praise be unto DELL!

What you have to be aware of is the small but nevertheless possible result of replacing the MBR and that is that while you will be able to turn your PC on, it won't be able to locate the operating system and hence your PC is an expensive paperweight.
This will require you to reinstall Windows from one of your discs which will repair the system but cost you any data/installed programs/etc... that you had on the computer.

While overwriting the MBR isn't an everyday occurrence, it isn't in the grand scheme of things a major PC overhaul, and so it should go according to plan BUT there are no guarantees where computers are concerned! It is a very wise person who backs up any and all important data before doing anything else and this is what I advise you to do now.

If you are happy to lose access to DELL Diagnostics (click here for more info) and are willing to take the tiny risk that things don't go according to plan, then let me know and i'll post the relevant instructions.
The alternatives are either to live with the nasty that you have or contact DELL who may be able to replace your MBR with a legitimate custom version to restore your PC to it's former glory. Let me know what you decide.

So long, and thanks for all the fish.

 

 


#11 spodekmodek

spodekmodek
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 19 August 2010 - 03:09 PM

Thanks for your thought evaluation noviciate.
And yes, you surmised correctly. Dell Diagnostic Utility is neither contributing agony nor ecstasy to my life, so off with it. No whiskey needed.
Much more daunting however is the small possibility that everything on my computer will be
vaporized once a new MBR is installed. Unlikely as it is, Murphy(and his law)and myself are not strange bedfellows, so I try to minimize the chance he'll visit.

My question noviciate is this. How do I back my computer up without bringing the nasty bug along with it. If I could do that then I could reinstall MBR or buy another computer.(which of course i prefer not to do). I assume that my Maxtor( which has everything backed up) is worthless because it is a possible vehicle for the virus. But I would buy another external if I had to.
Of course, I have no idea what the comparative cost would be compared to having a Dell guy come to my home which doesnt sound so pennywise.

Thanks again Noviciate





#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:43 AM

Posted 19 August 2010 - 03:37 PM

The nasty exists within the MBR on your system and if you don't copy this to another machine, you don't carry the infection. If you simply save any personal data to either an external hard drive, a USB flashdrive or CD/DVD then you have no issues.

Your external hard drive shows a non-standard MBR as far as MBRCheck is concerned, but that isn't a worry as I would expect that if it was infected it would show the same MBR results as the other two drives. The infection may only infect any available MBRs at the initial point of infection and if your hard drive wasn't connected at the time, it couldn't be infected - I say "may" as I don't know exactly how it works, but your external drive doesn't look like it's infected to me, and even if it was, unless you actually booted from the drive you wouldn't activate it. Assuming that you use the drive for storage rather than as a home for a second operating system, you have no worries.

Even if your MBR became in some way corrupt and your PC wouldn't boot, you would simply reinstall the OS from the disc and it would then be clean. Copy your data over and reinstall whatever programs you wished and all would be well.

The risks are small and if it wasn't for my desire not to feel real bad if the unexpected happened, I wouldn't even have mentioned it. I'd rather you took all available precautions and afterwards wondered why you'd bothered, than curse me unto the deepest pit of doom, or whatever the deepest pit is you can think of, because when you told me how bad it went I posted "Hmmm, that was always a possibility!".

To summarise, if this was my machine i'd fire up the external drive and copy whatever you don't want to lose and then kill the nasty.

So long, and thanks for all the fish.

 

 


#13 spodekmodek

spodekmodek
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 19 August 2010 - 04:30 PM

Much obliged for the handholding here noviciate(first base is all you or I will get however)
Can't say I totally understand all you've written....but to put it in more childlike or grandmotherly terms....

Although Virus/Trojan scans have picked up virus and or trojans(forget which) on my Maxtor external drive, there are either none there now or not in danger of reinfecting my computer should I install a new MBR. I can't say I'm sure which and how many different types of cybernisms still exist. I assume however that whatever tools you used checked those viruses that inftect the MBR and those that reside elsewhere.

That being the case. I will make sure that all I find dear(or stimulating in another way) is backed up on my maxtor and then I can replace the MBR-if you'd be so kind to walk me through.

yea, though i walk through the shadow of the valley of death.....

thanks mon

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:43 AM

Posted 19 August 2010 - 04:35 PM

Run MBRCheck.exe again but, when prompted, enter Y this time for further options.
At the "Options" prompt enter 2 - this will overwrite the malicious boot code.
When asked for the "Physical Drive Number", enter 0
When asked for the "MBR Code to write", enter 1
Enter YES to confirm your actions - it needs to be YES and not Y.

Please immediately reboot your PC and let me have the contents of the new text file that will have been created on your Desktop.

So long, and thanks for all the fish.

 

 


#15 spodekmodek

spodekmodek
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 19 August 2010 - 09:36 PM

Gracias Novciate

These are the instructions for overwriting the MBR?(after I've backed everything up)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users