Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR.SYS Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 jjwinc

jjwinc

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:12:18 PM

Posted 05 November 2010 - 01:29 PM

A friend of the family tried disinfecting their machine on their own, downloading and running combofix among other things (malwarebytes, spybot, SuperAntispyware). From what they told me, it all started with AV8 fake antivirus, and they thought they had it cleaned, but when they ran SuperAntispyware, it found C:\Windows\MBR.EXE.

Since this is a MBR infection, I don't want to mess around with it. I always get these machines after people try to disinfect on their own. I'm posting the logs, why can't they?! Anyhow, here are the logs as the machine stands right now.

Any help would be greatly appreciated.





DDS (Ver_10-11-03.01) - NTFSx86
Run by ZLenny at 13:58:27.85 on Fri 11/05/2010
Internet Explorer: 8.0.6001.18975
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2036.1193 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dldtcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell V305\dldtMsdMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\ZLenny\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/?cid=NET_mmhpset
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} - c:\program files\free_radio_tv\tbFree.dll
mURLSearchHooks: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} - c:\program files\free_radio_tv\tbFree.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} - c:\program files\free_radio_tv\tbFree.dll
TB: Free Radio TV Toolbar: {9dbb9aeb-5a16-4989-a66f-c0f1c909d647} - c:\program files\free_radio_tv\tbFree.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [dldtmon.exe] "c:\program files\dell v305\dldtmon.exe"
mRun: [dldtamon] "c:\program files\dell v305\dldtamon.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-11-4 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-11-4 1153368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-26 136176]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-05 16:45:46 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2010-11-05 16:45:45 -------- d-----w- c:\users\zlenny\appdata\roaming\SUPERAntiSpyware.com
2010-11-05 16:45:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-05 16:10:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-05 16:10:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-05 16:10:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-05 15:50:34 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{92a659ba-17a2-47e0-a3fc-0176c70b94c2}\mpengine.dll
2010-11-04 11:15:06 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2010-11-04 11:15:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-04 11:13:28 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-11-04 11:13:27 -------- d-----w- c:\program files\Panda Security
2010-11-04 10:30:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-04 10:30:57 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2010-11-03 22:39:12 -------- d-----w- c:\users\zlenny\appdata\local\temp
2010-11-03 22:38:53 -------- d-sh--w- C:\$RECYCLE.BIN
2010-11-03 22:34:25 -------- d-----w- C:\ComboFix
2010-11-03 22:06:55 98816 ----a-w- c:\windows\sed.exe
2010-11-03 22:06:55 256512 ----a-w- c:\windows\PEV.exe
2010-11-03 22:06:55 161792 ----a-w- c:\windows\SWREG.exe
2010-11-03 22:05:13 -------- d-----w- c:\users\zlenny\appdata\local\Apple Computer
2010-11-03 21:58:52 -------- d-----w- c:\program files\CCleaner
2010-11-03 16:10:54 -------- d-----w- C:\Cleaners
2010-10-27 06:11:42 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-27 06:11:42 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-27 06:11:42 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-14 20:03:03 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2010-10-14 20:03:02 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-11 14:09:25 403398 ----a-w- c:\progra~2\SPL3141.tmp

==================== Find3M ====================

2010-09-16 22:21:47 405758 ----a-w- c:\progra~2\SPLCA1A.tmp
2010-09-16 16:19:02 396894 ----a-w- c:\progra~2\SPLA863.tmp
2010-09-16 16:06:02 345274 ----a-w- c:\progra~2\SPLF958.tmp
2010-09-16 15:57:54 415986 ----a-w- c:\progra~2\SPLF316.tmp
2010-09-16 15:52:42 408092 ----a-w- c:\progra~2\SPL2E92.tmp
2010-09-16 15:45:50 397580 ----a-w- c:\progra~2\SPLFEB5.tmp
2010-09-16 15:31:36 419930 ----a-w- c:\progra~2\SPLECB4.tmp
2010-09-16 15:24:35 421700 ----a-w- c:\progra~2\SPL7FB6.tmp
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20:29 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19:06 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-03 17:58:11 253220 ----a-w- c:\progra~2\SPL3.tmp
2010-09-03 17:56:23 253220 ----a-w- c:\progra~2\SPL5B58.tmp
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-23 16:07:27 209788 ----a-w- c:\progra~2\SPLF1E9.tmp
2010-08-20 16:05:07 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-20 01:44:35 122576 ----a-w- c:\progra~2\SPL3403.tmp
2010-08-17 14:11:37 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-10 15:53:15 274944 ----a-w- c:\windows\system32\schannel.dll

============= FINISH: 13:58:48.72 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jjwinc

jjwinc
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:12:18 PM

Posted 12 November 2010 - 09:12 AM

I have not heard back from a technician since my original posting on November 5, 2010. Since I didn't want to leave them without a PC for such an extended period of time, I simply wiped the drive clean, zeroed out the MBR, and started over from scratch. System is back in working order, this topic can be closed.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 12 November 2010 - 05:10 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users