Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whistler@mbr Malware


  • This topic is locked This topic is locked
23 replies to this topic

#1 CrossPanzer

CrossPanzer

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 22 January 2011 - 08:44 PM

My Avast anti-virus detected this in the Disk 0 Master Boot Record called Whistler@mbr. Not sure how long I've had it because nothing has really happened for a while. I reformatted the drive once and it's still there so here I am now with logs from GMER and DDS. Hope you can help.

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:46 PM

Posted 22 January 2011 - 09:14 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 CrossPanzer

CrossPanzer
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 22 January 2011 - 09:43 PM

Alright. Here's the log.

One problem I did encounter was when it wanted me to reboot. After I told it 'yes' it asked if I wanted to save a text file (from combofix) and I clicked yes again. Before I could tell it to save, the dialog box disappeared and then nothing happened. But after I just shut off the computer via the power button, combofix started up again when I got to desktop and produced the log so nothing bad happened I don't think.


ComboFix 11-01-22.02 - Panzer 01/22/2011 18:35:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2814.2491 [GMT -8:00]
Running from: c:\documents and settings\Panzer\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-12-23 to 2011-01-23 )))))))))))))))))))))))))))))))
.

2011-01-23 00:24 . 2011-01-23 00:24 -------- d-----w- C:\Temp
2011-01-23 00:01 . 2011-01-23 00:11 -------- d-----w- C:\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-23 00:19 . 2007-06-26 06:11 505128 ----a-w- c:\windows\system32\msvcp71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-04-11 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-27 16875008]
"SoundMan"="SOUNDMAN.EXE" [2008-06-19 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-20 2808832]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-16 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-16 50472]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2011-01-23 557056]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-30 210216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/22/2011 4:59 PM 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/22/2011 4:59 PM 17744]
.
.
------- Supplementary Scan -------
.
LSP: %SYSTEMROOT%\system32\nvLsp.dll
FF - ProfilePath - c:\documents and settings\Panzer\Application Data\Mozilla\Firefox\Profiles\tgx6ldao.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-22 18:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\nvLsp.dll
.
Completion time: 2011-01-22 18:37:46
ComboFix-quarantined-files.txt 2011-01-23 02:37

Pre-Run: 310,642,614,272 bytes free
Post-Run: 310,651,543,552 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7E1433234EA8315C1222CE11255726A7

Attached Files

  • Attached File  log.txt   4.36KB   1 downloads

Edited by gringo_pr, 22 January 2011 - 09:57 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:46 PM

Posted 22 January 2011 - 10:07 PM

Hello

please run this next for me and does avast still detect Whistler


MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 CrossPanzer

CrossPanzer
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 22 January 2011 - 10:12 PM

Avast still detects Whistler. I'm also not sure if it's always been like that but it's now Whistler@mbr [Rtk]

Here's the MBRCheck log

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000003d

Kernel Drivers (total 123):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E2000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB80B8000 ohci1394.sys
0xB80C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xB8670000 pciide.sys
0xB8328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB80D8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB85AC000 dmload.sys
0xB7F23000 dmio.sys
0xB8330000 PartMgr.sys
0xB80E8000 VolSnap.sys
0xB7F0B000 atapi.sys
0xB7EE7000 nvgts.sys
0xB7ECF000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xB80F8000 disk.sys
0xB8108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7EB0000 fltMgr.sys
0xB7E9E000 sr.sys
0xB7E87000 KSecDD.sys
0xB7DFA000 Ntfs.sys
0xB7DCD000 NDIS.sys
0xB7DB2000 Mup.sys
0xB8248000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB8198000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB3743000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB372F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB83F8000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB8438000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB370C000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB83A0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB685E000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB683E000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB686E000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB36E9000 \SystemRoot\system32\DRIVERS\ks.sys
0xB36C4000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB6F41000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xB35DB000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xB87EF000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB684E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB7D8E000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB35C4000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB6F91000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8318000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8440000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB35B3000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8228000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8400000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8398000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB3582000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB8308000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB8420000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8468000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB860A000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB354E000 \SystemRoot\system32\DRIVERS\update.sys
0xB76B9000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB82C8000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xB8238000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB83E8000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB681E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB85C8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB0F3A000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB0F18000 \SystemRoot\system32\drivers\portcls.sys
0xB682E000 \SystemRoot\system32\drivers\drmk.sys
0xB85F0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB6279000 \SystemRoot\System32\Drivers\Null.SYS
0xB85F2000 \SystemRoot\System32\Drivers\Beep.SYS
0xB8490000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB8460000 \SystemRoot\System32\drivers\vga.sys
0xB85FA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85FC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB8380000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB635C000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB8568000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB0EB8000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB0E60000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB62FC000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xB0E3F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB7AFB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB0E17000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB84B0000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xB62BC000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB69B4000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xB0DF5000 \SystemRoot\System32\drivers\afd.sys
0xB67DE000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB0DC9000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB0D5A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB62DC000 \SystemRoot\System32\Drivers\Fips.SYS
0xB0D13000 \SystemRoot\System32\Drivers\aswSP.SYS
0xB8390000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xB8544000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB81B8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB41AE000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB53AF000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB7D72000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB629C000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB6990000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0xB0CC5000 \SystemRoot\System32\Drivers\dump_nvgts.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB538F000 \SystemRoot\System32\drivers\Dxapi.sys
0xB41A6000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xB86AF000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xB6998000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xAFE67000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAFCE8000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xAFACB000 \SystemRoot\system32\drivers\wdmaud.sys
0xAFB70000 \SystemRoot\system32\drivers\sysaudio.sys
0xAF86F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAF7F0000 \SystemRoot\system32\DRIVERS\srv.sys
0xB83B8000 \??\C:\WINDOWS\nvflash.sys
0xB8470000 \??\C:\WINDOWS\nvoclock.sys
0xB418E000 \??\C:\DOCUME~1\Panzer\LOCALS~1\Temp\catchme.sys
0xB8612000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xAF377000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 28):
0 System Idle Process
4 System
820 C:\WINDOWS\system32\smss.exe
888 csrss.exe
912 C:\WINDOWS\system32\winlogon.exe
968 C:\WINDOWS\system32\services.exe
980 C:\WINDOWS\system32\lsass.exe
1144 C:\WINDOWS\system32\nvsvc32.exe
1220 C:\WINDOWS\system32\svchost.exe
1264 svchost.exe
1412 C:\WINDOWS\system32\svchost.exe
1484 svchost.exe
1688 svchost.exe
1900 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1312 C:\WINDOWS\system32\spoolsv.exe
1784 svchost.exe
1940 C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
132 C:\Program Files\CyberLink\Shared files\RichVideo.exe
296 C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
376 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
496 C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
2136 alg.exe
2288 C:\WINDOWS\system32\wscntfy.exe
3848 C:\WINDOWS\explorer.exe
1524 C:\WINDOWS\system32\wuauclt.exe
1552 C:\Program Files\Mozilla Firefox\firefox.exe
2480 wmiprvse.exe
3900 C:\Documents and Settings\Panzer\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000001`805e2000 (NTFS)

PhysicalDrive2 Model Number: ST3320418AS, Rev: CC38
PhysicalDrive0 Model Number: ST3320620A, Rev: 3.AAE
PhysicalDrive1 Model Number: Maxtor6Y200P0, Rev: YAR41BW0

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive2 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
298 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 55D22FACFA0250F2B3D94EC565072522D6388C82
189 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 55D22FACFA0250F2B3D94EC565072522D6388C82


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:46 PM

Posted 22 January 2011 - 10:17 PM

Run MBRCheck.exe

  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter 2 and press the Enter key
  • Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
  • The program will prompt for confirmation. Type 'YES' and hit Enter.
  • Left click on the title bar (where program name and path is written).
  • From menu chose Edit -> Select All
  • Hit the Enter key on your keyboard to copy selected text.
  • Paste that text into Notepad, save it to your desktop as "MBRCheck results.txt"
  • Restart your PC.
  • Post the text in "MBRCheck results.txt" here, please.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 CrossPanzer

CrossPanzer
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 22 January 2011 - 10:28 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000003d

\\.\C: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000001`805e2000 (NTFS)

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive2 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
298 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black I
nternet)!
SHA1: 55D22FACFA0250F2B3D94EC565072522D6388C82
189 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black I
nternet)!
SHA1: 55D22FACFA0250F2B3D94EC565072522D6388C82


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 0
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!
Press ENTER to exit...

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:46 PM

Posted 22 January 2011 - 11:09 PM

Good Evening

I am researching on how to clear the MBR's on the extra harddrives but some information for you.

being that it is not on the boot drive means that it is not active and can't infect the computer and that by fixing them and if there is a problem you could lose all the data on these drives.
If you were to install an operating system on these drives the mbr would be rewriten anyway and the virus removed.
the esiest and safest thing to do is tell your antivirus to ignor this and leave it alone.
so I would like to know what you would like me to do.

leave it alone or research more on how to clean it out.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 CrossPanzer

CrossPanzer
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 23 January 2011 - 12:02 AM

I am very uneasy with something like this being left the way it is. If you're able to find more info on how to get rid of these things (didn't know they were on all three of my drives, it might be on my external one as well) that would be great.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:46 PM

Posted 23 January 2011 - 12:05 AM

Hello

Ok I will have you something by morning


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:46 PM

Posted 23 January 2011 - 12:10 AM

Print out these instructions to use while in the Recovery Console:

1.Restart your computer.
2.Before Windows loads, you will be prompted to choose which Operating System to start.
3.Use the up and down arrow key to select Microsoft Windows Recovery Console
4.You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5.At the C:\Windows prompt, type the following bolded entries, and press 'Enter'

fixmbr \Device\HardDisk0

[/list]
NOTE** that there is a space between mbr and \device

fixmbr[space]\Device\HardDisk0



rerun mbrfix for me after

Edited by gringo_pr, 23 January 2011 - 12:11 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 CrossPanzer

CrossPanzer
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 23 January 2011 - 12:31 AM

Should I just google and grab mbrfix on my own?

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:46 PM

Posted 23 January 2011 - 12:46 AM

sorry

MBRcheck is what I want you to rerun for me


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 CrossPanzer

CrossPanzer
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 23 January 2011 - 01:16 AM

I plugged in my external hard drive back in (the 1000gb figure).

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000007d

\\.\C: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000001`805e2000 (NTFS)
\\.\G: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive2 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
189 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black I
nternet)!
SHA1: 55D22FACFA0250F2B3D94EC565072522D6388C82
1397 GB \\.\PhysicalDrive3 MBR Code Faked!
SHA1: E7EE86F666D0D72582F099FBCDBAD7976F6EEBA4


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:46 PM

Posted 23 January 2011 - 02:26 AM

Print out these instructions to use while in the Recovery Console:

1.Restart your computer.
2.Before Windows loads, you will be prompted to choose which Operating System to start.
3.Use the up and down arrow key to select Microsoft Windows Recovery Console
4.You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5.At the C:\Windows prompt, type the following bolded entries, and press 'Enter'

fixmbr \Device\HardDisk1

[/list]
NOTE** that there is a space between mbr and \device

fixmbr[space]\Device\HardDisk1

after you have done that do the same for

fixmbr \Device\HardDisk3




rerun mbrcheck for me after you have done the two
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users