Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected MBR/CD boot BSOD


  • This topic is locked This topic is locked
8 replies to this topic

#1 ripley_dj

ripley_dj

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:40 AM

Posted 05 February 2011 - 09:22 AM

Hi

Just like the person in this topic a friend of mine got a message from Avast about an infection stating that his notebook's MBR was tampered, and that Avast couldn't remove the infection. So he brought his machine to me.

'mbr:\\.\physicaldrive0 rootkit: hidden boot sector' was the search term that brought me here.

I tried to fix it with

  • Clamwin portable ->no direct related infection found, a couple of others though
  • HiJackThis ->no infection found
  • GMER ->no infection found
  • mbr ->error reading MBR
  • catchme ->no disk found, detected NTDLL code modification(?)
  • MBRCheck ->infection found, repair offered, but no fix
  • ComboFix ->no infection found
  • F-Secure Blacklight ->didn't run
and finally Kaspersky's TDSSKiller did the trick - well, at least so it seems. Avast shows no more infection and neither does TDSSKiller. BTW the infection was TDSS TDL4, recognized by the Kaspersky tool. However MBRCheck stills shows a notion about unknown mbr. Tried to load a new one with it, twice even, but both options default #0 and #5, which are Windows 7, go through as if it succeeded, but when started again, MBR is still unknown. Any thoughts?

Also on the same machine when trying to boot from cd (testing with all the bootable cd's I have) result is BSOD stating that acpi.sys is involved. Maybe related? I would have preferred working from a bootable cd, on the assumption that chances to catch the peskiest ones might be better. Had to resort to safe mode.

I understand if you prefer to work case by case and hence out-of-the-shelf solutions wouldn't be your way. Me and my friend live some distance apart and I can't have his machine in my place all the time, and it's no more here, so I won't be able to easily give you further details fast. I'm writing anyway, first just in case my (perhaps partial or unfinished) solution would be of help to somebody else and second just in case the problem should come back, I might be better prepared. Not to mention the prevailing boot problem of course. Otherwise the machine seemed to work fine.

The notebook is a HP Pavilion model dv6-2116eo running Win 7 Home 64-bit. It remains a mystery how and even when the infection occurred. Clamwin's finds 'Trojan.Redbrowser' and 'Trojan.Agent-25576' don't seem to be related, or could they?

TIA of any feedback

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:40 AM

Posted 07 February 2011 - 07:46 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 ripley_dj

ripley_dj
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:40 AM

Posted 08 February 2011 - 02:45 AM

Hi, m0le

As you may detect from my first post, I was/we were a bit hasty in our turns. Didn't read the forum guidelines carefully enough (ran the Combofix already, albeit to no avail). Too bad, if this disqualifies us from your services.

Another minor handicap is that the machine concerned is not mine and hence not always available for testing. And still other one, that my friend can't join this conversation directly because of your forum rules.

Anyway, it seems we still have a problem with booting from CD. Could be insignificant as yet, but could turn fatal in case we need to install the OS or something. As far as I understand, this would be the checklist for the next step:
  • double-check for the booting problem if it still exists
  • does the machine run a CD from inside Windows?
  • can you boot from a flash thumbdrive?
Is that right? Any other directions from you? Or are we still on it? Could it be even that all of a sudden the rootkit would have learned to hide from both Avast and Kaspersky?

Thanks

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:40 AM

Posted 08 February 2011 - 08:18 PM

Let's start with the MBR issue. Please run TDSSKiller (as below) and rerun MBRCheck so I can see what it says


  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#5 ripley_dj

ripley_dj
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:40 AM

Posted 10 February 2011 - 08:52 AM

Hi again

This operation has been delayed a bit because of natural causes.

We'll be back on the line as soon as things get better - day or two, I'd guess, but we'll see.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:40 AM

Posted 10 February 2011 - 02:14 PM

I'll bump you in three days :)
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:40 AM

Posted 12 February 2011 - 07:57 PM

How are things going?
Posted Image
m0le is a proud member of UNITE

#8 ripley_dj

ripley_dj
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:40 AM

Posted 13 February 2011 - 06:05 AM

Well, he decided to bet on his luck this time as he's currently quite busy with his studies and such.
Sorry to have bothered you. Anyway, now we know where to go if things turn to south.
Thanks again and have a nice time!

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:40 AM

Posted 13 February 2011 - 08:53 AM

No problem. :)

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users