Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think MBR malaware


  • Please log in to reply
4 replies to this topic

#1 accacca

accacca

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 20 March 2011 - 08:07 PM

Hello, soory for my bad english... Thanks in advance to all for help
I have a virus problem whit two PC.
PC1 only for few applications and don't contain important data/programs
PC2 is master PC! whit all data and programs.
Booth are infected

Infection start on PC1 I think after I use a keygen (....)
and whit pendrive propagate to PC2 (but I am not sure of this PC are also network connected)

I have open this topic for PC1 only
After solved (I hope) I open new topic for PC2
Before infection on this PC I have WIN XP SP3 and AVIRA antivirus COMODO firewall and Spyware terminator
Infection starting visibile problem with AVIRA (Can't update)
I have also formatted and reinstalled WIN XP on this PC but without solving the problem
From WIn XP installation procedure I have deleted the disk partition and create new one and also reformatted the disk (slow mode) but the virus survive!!

After infection in PC2 I go in panic.. I have shut off PC2 and used various programs in PC1 but creating only a big confusion.
After this I have found this forum read the preparation guide and start this topic
I hope anyone can help me solve problem
At the moment I have removed AVIRA SPYWARE and COMODO and PC connect to the newtwork and I can start WIN also in safe mode.

I have also available one disk with Linux UBUNTU I can downlaod progarms in linux and after save to desktop directory or the best solution is saving directly from windows if work ?

I add also GMER info (may be a stupid info...)
--> GMER using the guide proceudre work well but if I open the zip folder and with mouse I translate the icon to desktop the extraction fail with "explorer unspecified error"

Below I send the request logs

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by diego at 1.09.38,37 on 21/03/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1024.732 [GMT 1:00]
.
AV: AntiVir Desktop *Enabled/Updated* {0012F2B4-5AF1-7C92-0300-000000000000}
AV: AntiVir Desktop *Enabled/Updated* {0012F2B4-5CC9-7C92-0300-000000000000}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\diego\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe
svchost.exe
C:\Programmi\Prevx\prevx.exe
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\Programmi\Prevx\prevx.exe
C:\Documents and Settings\diego\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Documents and Settings\diego\Impostazioni locali\Dati applicazioni\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\All Users\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
BHO: &Crawler Toolbar Helper: {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\programmi\crawler\toolbar\ctbr.dll
BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\programmi\crawler\toolbar\ctbr.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Google Update] "c:\documents and settings\diego\impostazioni locali\dati applicazioni\google\update\GoogleUpdate.exe" /c
uRun: [SpywareTerminatorUpdate] "c:\programmi\spyware terminator\SpywareTerminatorUpdate.exe"
mRun: [SpywareTerminator] "c:\programmi\spyware terminator\SpywareTerminatorShield.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Crawler Search - tbr:iemenu
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\programmi\crawler\toolbar\ctbr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2011-3-20 32008]
R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2011-3-20 76696]
R2 CSIScanner;CSIScanner;c:\programmi\prevx\prevx.exe [2011-3-20 6416120]
R2 DriverX;DriverX;c:\windows\system32\drivers\DRIVERX.SYS [2011-3-20 234140]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2011-3-20 26096]
S1 sp_rsdrv2;Spyware Terminator Driver 2;\??\c:\windows\system32\drivers\sp_rsdrv2.sys --> c:\windows\system32\drivers\sp_rsdrv2.sys [?]
S3 umpusbvista;Texas Instruments USB Serial Driver;c:\windows\system32\drivers\umpusbvista.sys [2011-3-20 47744]
.
=============== Created Last 30 ================
.
2011-03-20 22:53:50 -------- d-----w- C:\Rustbfix
2011-03-20 21:52:00 71880 ----a-w- c:\windows\system32\PxSecure.dll
2011-03-20 21:51:59 76696 ----a-w- c:\windows\system32\drivers\pxrts.sys
2011-03-20 21:51:59 32008 ----a-w- c:\windows\system32\drivers\pxscan.sys
2011-03-20 21:51:59 26096 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2011-03-20 21:51:58 -------- d-----w- c:\programmi\Prevx
2011-03-20 21:51:47 -------- d-----w- c:\docume~1\alluse~1\datiap~1\PrevxCSI
2011-03-20 21:38:01 89088 ----a-w- C:\mbr.exe
2011-03-20 20:37:02 301568 ----a-w- C:\i4vgdr5d.exe
2011-03-20 20:35:27 4297371 ----a-r- C:\Pillola.exe
2011-03-20 20:35:27 147456 ----a-w- C:\catchme.exe
2011-03-20 16:06:35 -------- d-----w- c:\docume~1\diego\datiap~1\Malwarebytes
2011-03-20 16:01:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-20 16:00:36 -------- d-----w- c:\docume~1\alluse~1\datiap~1\Malwarebytes
2011-03-20 15:59:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-20 15:59:14 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2011-03-20 00:03:11 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-03-19 23:57:33 -------- d-----w- C:\diego
2011-03-19 23:55:50 47744 ----a-w- c:\windows\system32\drivers\umpusbvista.sys
2011-03-19 23:55:50 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2011-03-19 23:55:42 -------- d-----w- c:\docume~1\diego\datiap~1\IAR Embedded Workbench
2011-03-19 23:44:36 0 ----a-w- c:\windows\system32\serauth2.dll
2011-03-19 23:44:36 0 ----a-w- c:\windows\system32\serauth1.dll
2011-03-19 23:44:36 0 ----a-w- c:\windows\system32\nsprs.dll
2011-03-19 23:44:13 234140 ----a-w- c:\windows\system32\drivers\DRIVERX.SYS
2011-03-19 23:44:12 11157 ----a-w- c:\windows\system32\CP30LS.DLL
2011-03-19 23:42:10 -------- d-----w- c:\programmi\IAR Systems
2011-03-19 21:51:00 76768 ----a-r- c:\windows\system32\drivers\umpusbxp.sys
2011-03-19 21:47:23 -------- d-----w- c:\windows\Downloaded Installations
2011-03-19 21:46:21 -------- d-----w- c:\programmi\file comuni\IAR Systems
2011-03-19 21:21:46 -------- d-----w- c:\docume~1\diego\impost~1\datiap~1\Rowley Associates Limited
2011-03-19 21:17:24 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2011-03-19 21:00:51 98816 ----a-w- c:\windows\sed.exe
2011-03-19 21:00:51 89088 ----a-w- c:\windows\MBR.exe
2011-03-19 21:00:51 256512 ----a-w- c:\windows\PEV.exe
2011-03-19 21:00:51 161792 ----a-w- c:\windows\SWREG.exe
2011-03-19 20:59:51 -------- d-----w- c:\windows\pss
2011-03-19 18:27:01 -------- d---a-w- C:\.Trash-1000
2011-03-19 14:02:04 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-03-19 13:52:59 9216 ------w- c:\windows\system32\dot3dlg.dll
2011-03-19 13:43:20 8704 -c----w- c:\windows\system32\dllcache\asferror.dll
2011-03-19 13:42:59 208896 -c----w- c:\windows\system32\dllcache\unregmp2.exe
2011-03-19 13:38:54 272768 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-03-19 13:38:04 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2011-03-19 13:37:18 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-03-19 13:37:00 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-03-19 13:36:56 144384 ------w- c:\windows\system32\drivers\hdaudbus.sys
2011-03-19 13:36:52 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2011-03-19 13:36:25 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-03-19 13:35:09 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-03-19 13:35:09 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-03-19 13:34:28 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2011-03-19 13:34:22 2193664 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-03-19 13:34:19 286208 -c----w- c:\windows\system32\dllcache\pdh.dll
2011-03-19 13:34:19 111104 -c----w- c:\windows\system32\dllcache\services.exe
2011-03-19 13:34:18 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2011-03-19 13:34:15 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2011-03-19 13:34:12 683520 -c----w- c:\windows\system32\dllcache\advapi32.dll
2011-03-19 13:34:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2011-03-19 13:34:09 736256 -c----w- c:\windows\system32\dllcache\ntdll.dll
2011-03-19 13:34:05 2149888 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-03-19 13:34:03 2028032 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-03-19 13:33:53 19569 ----a-w- c:\windows\002789_.tmp
2011-03-19 13:33:07 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2011-03-19 13:33:00 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2011-03-19 13:28:47 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2011-03-19 13:28:00 293376 ------w- c:\windows\system32\browserchoice.exe
2011-03-19 13:23:20 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-03-19 13:23:13 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2011-03-19 13:22:09 219136 -c----w- c:\windows\system32\dllcache\wordpad.exe
2011-03-19 13:17:39 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2011-03-19 13:13:18 -------- d-----w- c:\windows\system32\PreInstall
2011-03-19 13:13:15 -------- d--h--w- c:\windows\$hf_mig$
2011-03-19 12:47:59 4096 ----a-w- c:\programmi\file comuni\system\ole db\SET582.tmp
2011-03-19 12:46:55 299520 ----a-w- c:\windows\system32\SET3F5.tmp
2011-03-19 12:45:59 584704 ----a-w- c:\windows\system32\SET262.tmp
2011-03-19 12:43:20 19569 ----a-w- c:\windows\004849_.tmp
2011-03-19 12:37:39 683520 ----a-w- c:\windows\system32\advapi32.dll
2011-03-19 12:24:45 -------- d-----w- c:\programmi\Crawler
2011-03-19 12:24:37 -------- d-----w- c:\programmi\Spyware Terminator
2011-03-19 12:16:51 -------- d-----w- c:\docume~1\diego\impost~1\datiap~1\Temp
2011-03-19 12:16:46 -------- d-----w- c:\docume~1\diego\impost~1\datiap~1\Google
2011-03-19 12:05:52 -------- d-----w- C:\temp
2011-03-19 12:05:20 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-03-19 12:03:53 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2011-03-19 12:03:38 -------- d-s---w- c:\windows\system32\Microsoft
2011-03-19 11:55:02 -------- d-----w- c:\windows\ServicePackFiles
2011-03-19 11:51:51 19528 ----a-w- c:\windows\002115_.tmp
.
==================== Find3M ====================
.
2011-03-20 10:28:07 100 ----a-w- c:\windows\system32\prsgrc.dll
2011-03-19 21:47:19 1024 ----a-w- c:\windows\system32\bvnn2vm.dll
2011-03-19 21:47:12 1024 ----a-w- c:\windows\system32\grcauth2.dll
2011-03-19 21:47:10 1024 ----a-w- c:\windows\system32\grcauth1.dll
2011-03-19 21:47:03 1024 ----a-w- c:\windows\system32\clauth2.dll
2011-03-19 21:47:02 1024 ----a-w- c:\windows\system32\clauth1.dll
2011-03-19 21:47:00 72 ----a-w- c:\windows\system32\ssprs.dll
2011-03-19 12:37:38 338 ----a-w- c:\windows\system32\k2j7cuv.dll
.
============= FINISH: 1.10.41,18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 AM

Posted 26 March 2011 - 10:49 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 accacca

accacca
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 26 March 2011 - 11:42 AM

Hello,
thanks for the reply
do not worry about the delay You do a great job for all.
In fact yes the situation has changed: At the moment I have stopped work on PC1 the least important.
I was trying to restore the disk of the main PC2!
I made ​​some operations (suggested from an Italian forum) with Kaspersky Virus Removal Tool and I could post these logs.
For tomorrow I prepare also all the logs required for this record and I add a new message

To avoid confusion, we can close this and open a topic dedicated to PC2 disk
thanks again

#4 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 AM

Posted 26 March 2011 - 12:00 PM

OK, I will have them close this topic and please post the new logs when you open the next one.

Unless you wish something different?

Sono di Firenze.

DR

#5 accacca

accacca
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 27 March 2011 - 10:27 AM

Rigacci

I think is not a good idea reply in Italian on this forum
Before you help me on this forum I opened a discussion for the same problem on an Italian forum
If you think you could give me a hand I leave you the discussion link

http://forum.wininizio.it/index.php?/topic/124765-rootkit-dove/

actually for me to write in English is not easy and I use google translator

Thanks a lot for support and help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users