Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Redirect Malware


  • This topic is locked This topic is locked
27 replies to this topic

#1 MJC629

MJC629

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 24 January 2011 - 02:06 PM

Hello everyone,

I have never posted on here before so if more information is needed please let me know. I have had this reoccuring problem for a few months where I mostly get redirected during search engine queries, but also sometimes when I open a random website. It is never the same website that get redirected. I have tried a number of anti-virus and anti-malware programs, but i can't seem to root out the problem. I have went thru the prep guide so here is the DDS log. Any assistance would be much appreciated.

Thanks Matt



DDS (Ver_10-12-12.02) - NTFSx86
Run by Christopher at 10:21:36.29 on Mon 01/24/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1406.481 [GMT -5:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Documents and Settings\Christopher\Local Settings\Temporary Internet Files\Content.IE5\62YLXU53\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar =
uStart Page = hxxp://www.app.com/
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant =
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {5CFA5B80-01F4-420F-B18B-545712C8A1C8}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1285864992078
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/popzuma/popcaploader_v10.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-23 11608]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-23 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-23 267944]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-23 61960]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-12-26 312152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2006-5-9 200192]
S0 uqdpoe;uqdpoe;c:\windows\system32\drivers\imsdjh.sys --> c:\windows\system32\drivers\imsdjh.sys [?]
S3 cxru3f46;Virtual Bus for Microsoft ACPI-Compliant System; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]

=============== Created Last 30 ================

2011-01-10 13:48:15 -------- d-----w- c:\program files\CCleaner
2011-01-10 06:40:40 -------- d-----w- c:\windows\pss
2010-12-27 04:08:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-12-27 03:08:00 -------- d-----w- c:\docume~1\christ~1\applic~1\Search Settings
2010-12-27 03:07:50 -------- d-----w- c:\program files\Application Updater
2010-12-27 03:07:49 -------- d-----w- c:\program files\IObit Toolbar
2010-12-27 03:07:49 -------- d-----w- c:\program files\common files\Spigot
2010-12-27 03:07:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\FreeApp
2010-12-26 18:28:38 -------- d-----w- c:\windows\C6359569E03E4CDC98E8CDD080C6EEB5.TMP
2010-12-26 18:28:24 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2010-12-26 18:26:59 -------- d-----w- c:\program files\LeapFrog
2010-12-26 18:26:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\Leapfrog

==================== Find3M ====================

2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2006-12-21 03:00:11 774144 ----a-w- c:\program files\RngInterstitial.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2060AT_PL rev.008300A1 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A20FC56]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a2164f4]; MOV EAX, [0x8a216570]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A2D9AB8]
3 CLASSPNP[0xF74E7FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000007c[0x8A27F9E8]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A25ED98]
\Driver\atapi[0x8A265C78] -> IRP_MJ_CREATE -> 0x8A20FC56
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHV2060AT_PL____________________008300A1#5&1c5dd61d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A20FA9F
user != kernel MBR !!!
sectors 117210238 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 10:23:57.34 ===============

Attached Files

  • Attached File  DDS.txt   10.8KB   0 downloads
  • Attached File  ark.txt   29.11KB   1 downloads


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:48 AM

Posted 24 January 2011 - 03:03 PM

Good evening. :)

Please download MBRCheck.exe by a_d_13 from here and save it to your Desktop.
  • Double click the file to begin the scan.
  • A Command Window will open and after the scan has completed you will be prompted to select further action - please exit in the stated manner.
  • A text file called MBRCheck_date/time.txt can be found on the Desktop. I'd like you to post the contents in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#3 MJC629

MJC629
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 24 January 2011 - 04:15 PM

Good evening.

Thank you for getting back to me so quickly. I hope this is what you wanted me to post in my reply.

Thanks again. Matt



MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 140):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0x8A24E000 \WINDOWS\system32\KDCOM.DLL
0xF789B000 \WINDOWS\system32\BOOTVID.dll
0xF7358000 ACPI.sys
0xF7987000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7347000 pci.sys
0xF7487000 isapnp.sys
0xF7497000 ohci1394.sys
0xF74A7000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF789F000 compbatt.sys
0xF78A3000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7329000 pcmcia.sys
0xF74B7000 MountMgr.sys
0xF730A000 ftdisk.sys
0xF7989000 dmload.sys
0xF72E4000 dmio.sys
0xF78A7000 ACPIEC.sys
0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF770F000 PartMgr.sys
0xF74C7000 VolSnap.sys
0xF72CC000 atapi.sys
0xF74D7000 disk.sys
0xF74E7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF72AC000 fltmgr.sys
0xF729A000 sr.sys
0xF74F7000 PxHelp20.sys
0xF7283000 KSecDD.sys
0xF71F6000 Ntfs.sys
0xF71C9000 NDIS.sys
0xF7507000 Serial.sys
0xF71AF000 Mup.sys
0xF7717000 avgrkx86.sys
0xF7517000 AVGIDSEH.Sys
0xF7947000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF6566000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF6552000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF779F000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF652E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77A7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7537000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF650B000 \SystemRoot\system32\DRIVERS\ks.sys
0xF77AF000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF6961000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77B7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF64DC000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF79B5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF77BF000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF64C9000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
0xF646E000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF6951000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6447000 \SystemRoot\system32\drivers\tifm21.sys
0xF6433000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF63DD000 \SystemRoot\system32\drivers\camc6hal.sys
0xF6941000 \SystemRoot\system32\drivers\camc6aud.sys
0xF63B9000 \SystemRoot\system32\drivers\portcls.sys
0xF6931000 \SystemRoot\system32\drivers\drmk.sys
0xF6388000 \SystemRoot\system32\DRIVERS\HSFHWATI.sys
0xF628A000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF61DE000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF77C7000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6E21000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7A8B000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6921000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6E1D000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF61C7000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF6911000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF6901000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF61B6000 \SystemRoot\system32\DRIVERS\psched.sys
0xF68F1000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77DF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6186000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF68E1000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79B7000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6128000 \SystemRoot\system32\DRIVERS\update.sys
0xF793B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF68D1000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF75D7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xEB4CA000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0xF79F5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B0A000 \SystemRoot\System32\Drivers\Null.SYS
0xF79F7000 \SystemRoot\System32\Drivers\Beep.SYS
0xEC695000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xEC68D000 \SystemRoot\System32\drivers\vga.sys
0xF79F9000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79FB000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xEC685000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA52D000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6E29000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB8BEE000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB8B95000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB8B4D000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0xB8B27000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEB4BA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF67B4000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB8A37000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB8A15000 \SystemRoot\System32\drivers\afd.sys
0xF67A4000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA525000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xB89EA000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB897A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF6784000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7A01000 \??\C:\WINDOWS\system32\drivers\EABFiltr.sys
0xB8954000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xB8918000 \SystemRoot\system32\DRIVERS\avgldx86.sys
0xF7A23000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xB6F43000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF797B000 \SystemRoot\System32\drivers\Dxapi.sys
0xB808D000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7AA9000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF04E000 \SystemRoot\System32\ati2cqag.dll
0xBF080000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2E3000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xAB6CB000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xAB62B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAB4FE000 \SystemRoot\system32\drivers\wdmaud.sys
0xB963E000 \SystemRoot\system32\drivers\sysaudio.sys
0xF6734000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0xAB2E9000 \SystemRoot\system32\DRIVERS\srv.sys
0xAB3A0000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB47DC000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0xAAFC9000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0xAAA4A000 \SystemRoot\System32\Drivers\HTTP.sys
0xA9E07000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF7797000 \??\C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\mbr.sys
0xA9127000 \??\C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\uwdirfob.sys
0xA0D2A000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 50):
0 System Idle Process
4 System
1364 C:\WINDOWS\system32\smss.exe
1704 C:\WINDOWS\system32\csrss.exe
248 C:\WINDOWS\system32\winlogon.exe
544 C:\WINDOWS\system32\services.exe
556 C:\WINDOWS\system32\lsass.exe
848 C:\WINDOWS\system32\ati2evxx.exe
908 C:\WINDOWS\system32\svchost.exe
1132 C:\WINDOWS\system32\svchost.exe
648 C:\WINDOWS\system32\ati2evxx.exe
992 C:\WINDOWS\explorer.exe
296 C:\WINDOWS\system32\svchost.exe
448 C:\WINDOWS\system32\svchost.exe
576 C:\WINDOWS\system32\svchost.exe
1564 C:\WINDOWS\system32\spoolsv.exe
1656 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1008 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
380 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
964 C:\Program Files\IObit\IObit Security 360\is360srv.exe
1112 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
188 C:\Program Files\Java\jre6\bin\jqs.exe
1096 C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
1972 C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
2100 C:\WINDOWS\system32\svchost.exe
2260 C:\Program Files\Viewpoint\Common\ViewpointService.exe
3072 C:\WINDOWS\system32\alg.exe
1388 C:\WINDOWS\system32\wbem\wmiprvse.exe
1416 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
2868 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
3396 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3408 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
4020 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
4092 C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
372 C:\Program Files\IObit\IObit Security 360\is360tray.exe
3812 C:\Program Files\HPQ\shared\hpqwmi.exe
868 C:\Program Files\Internet Explorer\iexplore.exe
2272 C:\Program Files\Internet Explorer\iexplore.exe
1408 C:\Program Files\Internet Explorer\iexplore.exe
1340 C:\Program Files\AVG\AVG10\avgtray.exe
3500 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
2368 C:\Program Files\AVG\AVG10\avgwdsvc.exe
2128 C:\Program Files\AVG\AVG10\avgrsx.exe
3724 C:\Program Files\AVG\AVG10\avgcsrvx.exe
1552 C:\Program Files\AVG\AVG10\avgchsvx.exe
2004 C:\Program Files\AVG\AVG10\avgnsx.exe
2808 C:\Program Files\AVG\AVG10\avgemcx.exe
3748 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
2720 C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\Temporary Directory 2 for gmer[1].zip\gmer.exe
2712 C:\Documents and Settings\Christopher\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: <error opening>

Size Device Name MBR Status
--------------------------------------------
ERROR Opening: \\.\PhysicalDrive0 (32)


Done!




BIOS Manufacturer: Hewlett-Packard
Name: WPhoenix NoteBIOS 4.0 Release 6.1
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:48 AM

Posted 24 January 2011 - 05:13 PM

Go to Start > Run..., copy the following text, including quotation marks, to the text box and click OK:

"%userprofile%\desktop\MBRCheck.exe" -s 0 -d "C\mbr.dat"

You should see a Command Window open and once you are instructed to press <ENTER>, do so. I want you to post the contents of the new MBRCheck text file that should have been created on your Desktop - please check the date and time to ensure it's the right one..

So long, and thanks for all the fish.

 

 


#5 MJC629

MJC629
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 24 January 2011 - 05:28 PM

SHould be the right one. Glad you know what you are looking at.

Thank you again.

Matt

MBRCheck, version 1.2.3
© 2010, AD

Command-line: -s 0 -d C\mbr.dat
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 136):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0x8A24C000 \WINDOWS\system32\KDCOM.DLL
0xF789B000 \WINDOWS\system32\BOOTVID.dll
0xF7358000 ACPI.sys
0xF7987000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7347000 pci.sys
0xF7487000 isapnp.sys
0xF7497000 ohci1394.sys
0xF74A7000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF789F000 compbatt.sys
0xF78A3000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7329000 pcmcia.sys
0xF74B7000 MountMgr.sys
0xF730A000 ftdisk.sys
0xF7989000 dmload.sys
0xF72E4000 dmio.sys
0xF78A7000 ACPIEC.sys
0xF7A50000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF770F000 PartMgr.sys
0xF74C7000 VolSnap.sys
0xF72CC000 atapi.sys
0xF74D7000 disk.sys
0xF74E7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF72AC000 fltmgr.sys
0xF729A000 sr.sys
0xF74F7000 PxHelp20.sys
0xF7283000 KSecDD.sys
0xF71F6000 Ntfs.sys
0xF71C9000 NDIS.sys
0xF7507000 Serial.sys
0xF71AF000 Mup.sys
0xF7717000 avgrkx86.sys
0xF7517000 AVGIDSEH.Sys
0xF794B000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF75F7000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF654F000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF653B000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77AF000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6517000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77B7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7617000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7637000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7627000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF64F4000 \SystemRoot\system32\DRIVERS\ks.sys
0xF77BF000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF694A000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF64C5000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF79AD000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF77CF000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF64B2000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
0xF6457000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF693A000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6430000 \SystemRoot\system32\drivers\tifm21.sys
0xF641C000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF63C6000 \SystemRoot\system32\drivers\camc6hal.sys
0xF692A000 \SystemRoot\system32\drivers\camc6aud.sys
0xF63A2000 \SystemRoot\system32\drivers\portcls.sys
0xF691A000 \SystemRoot\system32\drivers\drmk.sys
0xF6371000 \SystemRoot\system32\DRIVERS\HSFHWATI.sys
0xF6273000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF61C7000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF77D7000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6DFE000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7A6E000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF690A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6DFA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF61B0000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF68FA000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF68EA000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77DF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF619F000 \SystemRoot\system32\DRIVERS\psched.sys
0xF68DA000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF616F000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF68CA000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79B3000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6111000 \SystemRoot\system32\DRIVERS\update.sys
0xF794F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF68BA000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF66C5000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xEC823000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0xF79F3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B2D000 \SystemRoot\System32\Drivers\Null.SYS
0xF79F5000 \SystemRoot\System32\Drivers\Beep.SYS
0xF77A7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF77FF000 \SystemRoot\System32\drivers\vga.sys
0xF79F7000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79F9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xEC591000 \SystemRoot\System32\Drivers\Msfs.SYS
0xEC589000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6109000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB7FC4000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB7F6B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB7F23000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0xB7EFB000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB7ED9000 \SystemRoot\System32\drivers\afd.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEC581000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xB7E0E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB7D76000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xEBBFE000 \SystemRoot\System32\Drivers\Fips.SYS
0xB7D50000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEBBEE000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xEBBDE000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF7A07000 \??\C:\WINDOWS\system32\drivers\EABFiltr.sys
0xB7319000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xB72DD000 \SystemRoot\system32\DRIVERS\avgldx86.sys
0xF79D3000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xBA74C000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xED74D000 \SystemRoot\System32\drivers\Dxapi.sys
0xB7153000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B54000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF04E000 \SystemRoot\System32\ati2cqag.dll
0xBF080000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2E3000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xAB3E4000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xB033E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAB2B7000 \SystemRoot\system32\drivers\wdmaud.sys
0xB6340000 \SystemRoot\system32\drivers\sysaudio.sys
0xB6310000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0xAAE22000 \SystemRoot\system32\DRIVERS\srv.sys
0xAB019000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xAAF69000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0xAAC1A000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0xAA89B000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 48):
0 System Idle Process
4 System
1852 C:\WINDOWS\system32\smss.exe
1900 C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
396 C:\WINDOWS\system32\csrss.exe
1000 C:\WINDOWS\system32\winlogon.exe
1288 C:\WINDOWS\system32\services.exe
1300 C:\WINDOWS\system32\lsass.exe
1628 C:\WINDOWS\system32\ati2evxx.exe
1680 C:\WINDOWS\system32\svchost.exe
1908 C:\WINDOWS\system32\svchost.exe
240 C:\WINDOWS\system32\svchost.exe
460 C:\WINDOWS\system32\svchost.exe
612 C:\WINDOWS\system32\svchost.exe
1072 C:\WINDOWS\system32\spoolsv.exe
1180 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1520 C:\WINDOWS\system32\ati2evxx.exe
376 C:\WINDOWS\explorer.exe
276 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
432 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
456 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
592 C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
524 C:\Program Files\AVG\AVG10\avgtray.exe
656 C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
440 C:\Program Files\IObit\IObit Security 360\is360tray.exe
1068 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1212 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1260 C:\Program Files\AVG\AVG10\avgwdsvc.exe
1716 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
268 C:\Program Files\IObit\IObit Security 360\is360srv.exe
744 C:\Program Files\Java\jre6\bin\jqs.exe
2100 C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
2692 C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
2708 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe
2984 C:\WINDOWS\system32\svchost.exe
3320 C:\Program Files\Viewpoint\Common\ViewpointService.exe
3460 C:\Program Files\AVG\AVG10\avgnsx.exe
3480 C:\Program Files\AVG\AVG10\avgemcx.exe
3664 C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
2836 C:\WINDOWS\system32\wbem\wmiprvse.exe
2996 C:\WINDOWS\system32\alg.exe
2964 C:\Program Files\HPQ\shared\hpqwmi.exe
2528 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
2892 C:\Program Files\Internet Explorer\iexplore.exe
3008 C:\Program Files\Internet Explorer\iexplore.exe
284 C:\PROGRA~1\AVG\AVG10\avgrsx.exe
3092 C:\Program Files\AVG\AVG10\avgcsrvx.exe
2664 C:\Documents and Settings\Christopher\Desktop\MBRCheck.exe

Dumping \\.\PhysicalDrive0 to C\mbr.dat...
Error opening output file (0)!


Done!

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:48 AM

Posted 24 January 2011 - 05:45 PM

The problem we have is that the tool seems to be unable to read the MBR, so this will take a little more time to solve than perhaps you'd like.

Download Bootkit Remover by eSage Lab from here and save it to your Desktop.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you have a way to "un-rar" files, then do so. If you don't you'll need to install something to handle the task. The following is freeware and works very nicely:

Download 7zip from here and save it to your Desktop.
Double click the executable to install the program as you usually do and follow the instructions - if instructed, reboot the PC.
Now right click bootkit_remover.rar and select 7-Zip > Extract Here

You should now see three files, remover.exe, readme_ru.txt and readme_en.txt - feel free to delete the two text files as they aren't needed - just make sure that remover.exe is directly on the Desktop.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To run the scanner, do the following:

Go to Start > Run..., enter cmd into the textbox and click OK
Copy and paste the following into the Command Window that has opened and press <ENTER> TWICE - this is important:

"%userprofile%\desktop\remover.exe" > "%userprofile%\desktop\removerlog.txt"

I'd like a copy of removerlog.txt that should appear on your Desktop.

So long, and thanks for all the fish.

 

 


#7 MJC629

MJC629
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 24 January 2011 - 06:04 PM

Noviciate,

I never expected this to be a quick removal. Thanks for your help again.

Hope this is what you were expecting.


Bootkit Remover
© 2009 eSage Lab
www.esagelab.com
Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]

Done;



Press any key to quit...

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:48 AM

Posted 25 January 2011 - 02:58 PM

Good evening. :)

Go to Start > Run..., copy and paste the following into the textbox and click OK:

"%userprofile%\desktop\remover.exe" dump \\.\PhysicalDrive0 c:\mbrdump.dat

Once the tool has completed it will tell you and you can press <ENTER> to close the window that opens.

There should be a file called mbrdump.dat created in the root of your main drive: C:\. I'd like you to zip up a copy and attach it in your next reply - assuming that the tool has done it's task.
Please note that you need to leave the original file where it is as we may need a back-up just in case.
If you're not sure how to attach a file, this linky has the information you require, near the bottom of the page.

So long, and thanks for all the fish.

 

 


#9 MJC629

MJC629
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 25 January 2011 - 04:31 PM

No problem, attached below.

Thanks again.

Matt

Attached Files



#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:48 AM

Posted 25 January 2011 - 04:48 PM

The folder appears to be empty - would you have another go and see if the problem is at your end.

So long, and thanks for all the fish.

 

 


#11 MJC629

MJC629
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 25 January 2011 - 05:00 PM

I must have missed it before. A "File not found or no read permission" opened when I zipped it again. See what I can do

#12 MJC629

MJC629
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 25 January 2011 - 05:06 PM

Just a novice at this computer stuff. If this is not sufficient or if there was supposed to be more info let me know.


Bootkit Remover
© 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Dumping master boot sector of \\.\PhysicalDrive0...

00000000: 33 c0 8e d0 bc 00 7c 8e c0 8e d8 be 00 7c bf 00 | 3.....|......|..
00000010: 06 b9 00 02 fc f3 a4 50 68 1c 06 cb fb 60 b9 37 | .......Ph....`.7
00000020: 01 bd 2a 06 d2 4e 00 45 e2 fa 44 85 56 70 1c b8 | ..*..N.E..D.Vp..
00000030: 26 04 08 68 62 40 0e 83 0c a3 3a 81 96 84 f5 17 | &..hb@....:.....
00000040: 10 c7 03 71 01 e1 00 37 26 bf ad c1 37 60 00 a3 | ...q...7&...7`..
00000050: c9 00 33 e2 88 41 ff d8 e8 06 83 4c ff 8e b0 00 | ..3..A.....L....
00000060: 7d e9 04 e2 c1 5e 40 cf 49 a1 f3 02 b0 0c ab b7 | }....^@.I.......
00000070: c2 ea 00 00 00 00 03 1b 0c b5 04 04 d8 60 bd 20 | .............`.
00000080: 02 0e c7 81 77 80 3e 18 73 08 f1 02 cc ff b1 57 | ....w.>.s......W
00000090: 10 66 c7 81 b7 80 33 ff 6c d9 04 99 f1 60 0e 20 | .f....3.l....`.
000000a0: cc 40 33 4a c0 db 40 99 62 c0 33 46 c0 1c 40 d2 | .@3J..@.b.3F..@.
000000b0: 84 be da 02 51 61 95 1c 9b 13 5d 01 00 eb ed 20 | ....Qa....]....
000000c0: 11 d6 98 30 26 ff 89 6f 11 9f d9 c1 df 3c ab e3 | ...0&..o.....<..
000000d0: 15 8f d9 c1 40 40 00 23 13 c7 45 6b 76 70 44 be | ....@@.#..EkvpD.
000000e0: 67 07 44 63 76 70 32 fb 9d 75 02 4a da 88 b6 fb | g.Dcvp2..u.J....
000000f0: 87 75 ee 22 c3 3b 40 22 3c b4 04 af 7c 80 d5 00 | .u.".;@"<...|...
00000100: 04 31 ed a2 c3 3b 40 c4 81 a0 5a 02 26 ff f7 0f | .1...;@...Z.&...
00000110: 15 8f d9 c1 00 8c 4c 1f 15 ad d9 c1 11 d8 9d 1c | ......L.........
00000120: 11 af d9 c1 00 9e 81 b7 13 cf 45 63 76 70 81 30 | ..........Ecvp.0
00000130: 8c 4a ba b6 2c 3c 33 c4 81 e8 1d ff 31 dc dd 40 | .J..,<3.....1..@
00000140: 00 be f4 02 7e 6a 49 bb 0b c9 3a 83 20 ec 1c 1b | ....~jI...:. ...
00000150: 20 29 f4 40 f9 98 4f 2d ea ea e1 1b 8c 27 89 d8 | ).@..O-.....'..
00000160: 00 02 c3 49 6e 76 61 6c 69 64 20 70 61 72 74 69 | ...Invalid parti
00000170: 74 69 6f 6e 20 74 61 62 6c 65 00 45 72 72 6f 72 | tion table.Error
00000180: 20 6c 6f 61 64 69 6e 67 20 6f 70 65 72 61 74 69 | loading operati
00000190: 6e 67 20 73 79 73 74 65 6d 00 4d 69 73 73 69 6e | ng system.Missin
000001a0: 67 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 | g operating syst
000001b0: 65 6d 00 00 00 2c 44 63 aa 95 aa 95 00 00 80 01 | em...,Dc........
000001c0: 01 00 07 fe ff ff 3f 00 00 00 80 3d fc 06 00 00 | ......?....=....
000001d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000001e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa | ..............U.

512 bytes written to c:\mbrdump.dat

Done;
Press any key to quit...

#13 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:48 AM

Posted 25 January 2011 - 05:36 PM

The file I was hoping to see attached was c:\mbrdump.dat. What is it that you have copy and pasted?

So long, and thanks for all the fish.

 

 


#14 MJC629

MJC629
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 25 January 2011 - 05:48 PM

I copied and pasted what appeared in the C:\ when I ran "%userprofile%\desktop\remover.exe" dump \\.\PhysicalDrive0 c:\mbrdump.dat

I tried to zip it again and no luck. Still working on it

#15 MJC629

MJC629
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 25 January 2011 - 06:36 PM

The file mbrdump is in C:\ drive but when I zip it, I get the File not found or no read permission error message.

I also tried to attach the file directly in the attachments, but I get error no file was selected for upload.

I then tried to open a bunch of the normal ways (that I know of at least) to open a .dat fie (Wordpad, notepad, adobe, etc.) but I am denied access each time.

It says the file is 512 bytes, but can't get into it.

Any ideas?

Thanks again for the help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users