Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR boot sector virus?


  • Please log in to reply
31 replies to this topic

#1 ronfiveo

ronfiveo

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:McAllen, Texas
  • Local time:04:01 AM

Posted 07 July 2011 - 09:01 AM

I have an HP m8000n Media Center PC and I think there might be a boor sector virus or infection that does not show up
using normal av programs.

I have been having random BSODs and with out rhyme or reason (to me) and usually after the auto restart it seems ok.
It usually happens at start up or shortly after(5 min. to 1 hr.).

Originally I took it to CompUSA (the only game in town) for a diagnostic and they told me that there was no OS on the hard drive and that my hard drive was bad, and so I bought a new one and they put it in.
Shortly after (one week) it started the same BSODs, then finally a black screen "cannot boot insert disk", or something like that.
I took it back and they told me that there was no OS on the drive , so they re installed the OS (Vista 32 Home Premium) .
Again it worked fine for a while but now it's up to it's same tricks. I don't want to take it back to them again because obviously they don't know
what they are doing but to sell products that are not needed.

So.....I need your help with this , please.

I heard about ancient viruses or malware like " Brain" that can infect the boot sector and cause random BSODs stops and the like.

How do I know for sure and how do I remove or fix it?

Or is that really my problem?

Here are my systems information >>>>>>>>>>>>>>>>>>>>>>> Speccy system information .

Thanks , Ron

Edited by ronfiveo, 07 July 2011 - 09:02 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 AM

Posted 07 July 2011 - 02:55 PM

Hi Ron Run this first. I have a class to teach now and will look back in a couple hours.


Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.


OR run Avira AntiVir Rescue System

Please download the Avira AntiVir Rescue System .

Place a blank CD in your burner and double-click on the rescue system package (rescuecd.exe) to burn it to a CD/DVD which you can then use to boot your computer and run a scan. For detailed instructions, refer to the Tutorial for Avira Rescue CD. If you encounter problems running Avira AntiVir Rescue System, you can get further assistance at the Avira Tools Support Forum.

Edited by boopme, 07 July 2011 - 02:57 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ronfiveo

ronfiveo
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:McAllen, Texas
  • Local time:04:01 AM

Posted 07 July 2011 - 03:31 PM

I ran the FixTDSS.exe

It said , " Backdoor.Tidserv has not been found on your computer."

I am in the process of downloading the
Avira AntiVir Rescue System to a CD/DVD .

Do you want me to run it ?


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 AM

Posted 07 July 2011 - 07:25 PM

Yes please do that.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 ronfiveo

ronfiveo
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:McAllen, Texas
  • Local time:04:01 AM

Posted 07 July 2011 - 10:01 PM

I ran the Avira scan and I think it found 8 warnings.
I am not sure but I don't think it found any viruses .
I saved the log, but now I can't find it.
Maybe I should run it again and log it again but I am not sure where I should put it.

I also ran the boot sector scan and maybe one was found , but again I don't know where it was saved.

Ron

#6 ronfiveo

ronfiveo
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:McAllen, Texas
  • Local time:04:01 AM

Posted 08 July 2011 - 09:26 AM

I ran the scan again, but I still can't find the scan log. (rescue-system_scan.log)

I did however take some photos of the screens.

I will try to upload them for you to look at.

thanks , Ron


I don't see the manage attachments button...?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 AM

Posted 08 July 2011 - 04:13 PM

Can only Copy/paste here in AII, How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 ronfiveo

ronfiveo
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:McAllen, Texas
  • Local time:04:01 AM

Posted 08 July 2011 - 05:16 PM

It seems to be running ok, however , I am very reluctant to shut it down at night for fear of the "blues".

Any ideas....?

Should I shut it down and see if it boots ok, and runs without bluing out?

Thanks for all you are doing I am sure you are quite busy and all and I do appreciate your time.

Ron

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 AM

Posted 08 July 2011 - 07:02 PM

Hello, Yes shut it down. This is XP correct?
We can get it back if neeeded.
If you get a BSOD,write down the error message.

o this to stop the screen so you can read it and post the error.

Click on Start, then right click on My Computer.
Scroll and select Properties, then choose Advanced tab.
Under Start up and Recovery click Settings.
Under System Failure uncheck Automatic System Restart.

Now when the BSOD occurs the screen will stop and you can write the complete error down to post.


It can't hurt to back up any inportant files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 ronfiveo

ronfiveo
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:McAllen, Texas
  • Local time:04:01 AM

Posted 08 July 2011 - 07:30 PM

The OS is Vista 32 Home Premium

But I think the same procedure is the same for stopping the auto restart.

I sure will do that.

Thanks

Ron

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 AM

Posted 08 July 2011 - 07:31 PM

Yes it should be the same.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 ronfiveo

ronfiveo
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:McAllen, Texas
  • Local time:04:01 AM

Posted 09 July 2011 - 05:57 AM

Sad news....my machine gave me a blue screen after being on for less than 5 min this morning.


Technical Information : 0X0000001A (0X00005001, 0XC0802000, 0X00000599, 0X0BAC4B2E)

So, I turned it off and started it again and it "blued out" again.

Technical Information : 0x0000001A (0X000005001, 0XC0802000, 0X00000599, 0X77884001)

So, I turned it off again, and it did nothing but a black screen with 1 short beep followed by a 1 long beep which just continued
repeatedly until I turned it off again and started up in safe mode with networking. so I could post this information.



I don't think I will be turning it off again until this machine is fixed or is needed to do so for some other reason.
if it doesn't hurt anything to just leave it on until the problem is fixed.

Thanks, Ron



It continues, I tried to restart and it got the blues again.

Technical Information:
0X000000050 (0XFFFFFFEC, 0X00000000, 0X82A4D7E4, 0X00000000)

It seems like now it will not run normally but only in safe mode.
It seems to boot ok, but after a very short time (minutes) it blues out.
Could this be a boot sector virus or MBR is $%^&ed up?

I will try another restart. but my confidence is nil.



Ok , after the restart it is staying on at least long enough to post this.

I just can't risk turning it off again so I am going to leave it running .

I think if I wanted this much frustration, every time I wanted to turn something on, I would have gotten remarried. (joke)

Any ideas with the posting of the blue screen technical information?

Edited by ronfiveo, 09 July 2011 - 07:00 AM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 AM

Posted 09 July 2011 - 09:52 AM

Let's check it once more if it's not there we'll have to move to the VIsta forum for the errors.

To check for and confirm the MBR (Master Boot Record) rootkit.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 ronfiveo

ronfiveo
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:McAllen, Texas
  • Local time:04:01 AM

Posted 09 July 2011 - 02:46 PM

Do I save it to exactly " C:\ <- "
with out the " " ...?
I just want to be sure.

OK, I clicked the mbr.exe and it did just like you said.

Here is what I found.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST310005 rev.CC32 -> Harddisk0\DR0 -> \Device\0000005f

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Edited by ronfiveo, 09 July 2011 - 03:01 PM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:01 AM

Posted 09 July 2011 - 10:47 PM

OK, no MBR Rootkit. Lets do an online scan and see if anything else is left.
How is it running after this?

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users