Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV Guard Online


  • Please log in to reply
3 replies to this topic

#1 mindylee

mindylee

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 11 October 2011 - 04:19 PM

Hi there -
A couple days ago my laptop with Windows XP popped up with the typical message from AV Guard Online. I have never seen or had a problem with this program before. It redirects most of the time when I try to go a website so I have had to use another computer to use the internet and download software and have been transferring it to my laptop via a flashdrive.

What I've done:

I've followed the instructions offered http://www.bleepingcomputer.com/virus-removal/remove-av-guard-online completely (I believe).
I'm working in Safe Mode with Networking
I downloaded RKill and it did seem to work (I think, though see next statement about Malwarebytes...?)
I downloaded Malwarebytes and it was able to download and open and was in the process of scanning when it shut down completely. Now when I try to run Malwarebytes, a popup appears that says "Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item." When I try to reinstall it, it will open and begin a scan but again will just shut down.
At that point, I referred to your Preparation Guide and did everything that was asked (except back up my stuff, eek!) including putting my fire wall up, disabling my cd software with Defogger, downloading DDS and creating a GMER log.
However, and I have no idea if I have 32 or 64 bit version of Windows (where do I find that information, anyway?) so I attempted to create the GMER log and it also kept shutting down. I was able to save it before it shut down so I will attach what I have.

I have to admit to being pretty limited in terms of complicated computer lingo so laymen's help would be much appreciated. :)

Thank you so super much for any help!

Here's the DDS file:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Student at 16:24:47 on 2011-10-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.621 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\1393677029:439217836.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://pegasus2.pearsoned.com/Pegasus/frmLogin.aspx?s=3
uInternet Connection Wizard,ShellNext = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TpShocks] TpShocks.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [Ypawepozanij] rundll32.exe "c:\windows\ogidayiy.dll",Startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sZZhhTXwjUVeIB8234A] c:\windows\system32\LA00uucS2ib3pG.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\safeco~1.lnk - c:\program files\safeconnect\scClient.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {0249ED44-B640-45BD-8066-17F81BFDC050} - hxxp://vbrick.bryant.edu/STREAMPLAYER1.cab
DPF: {5459BAF4-09A9-422A-AB5C-5F114A7287B5} - hxxp://vbrick.bryant.edu/VBPLAYER.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1274533896734
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201788875531
DPF: {85887165-031A-4297-BC4E-6B246C120B9C} - hxxp://vbrick.bryant.edu/STREAMPLAYER4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A3A3DB48-A838-4D21-8668-8F34AA82D14F} - hxxp://safeconnect.uri.edu:8008/html/xpc/tools/xc_loader_activex.ocx
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F50B3F13-19C4-11CF-AA9A-02608C9BABA2} - hxxp://vbrick.bryant.edu/STREAMPLAYER2.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{7966501C-6825-4CB9-950C-5EB3CDF0E4C8} : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
Notify: TPSvc - TPSvc.dll
AppInit_DLLs: systemhost.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli psqlpwd w95intc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\student\application data\mozilla\firefox\profiles\y7h5zkcu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gratefulness.org/index.htm
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\student\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2011-8-16 59080]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-10 337560]
S1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2007-12-5 46656]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-11 366152]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2011-2-4 22816]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2010-6-1 120128]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2011-2-4 147984]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2011-2-4 66880]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-10 69192]
S2 SCManager;SafeConnect Manager;c:\program files\safeconnect\scmanager.sys servicestart --> c:\program files\safeconnect\scManager.sys servicestart [?]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2007-8-14 10896]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-12-5 520192]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2007-12-5 249856]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-28 24652]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\csvirta.sys --> c:\windows\system32\drivers\CSVirtA.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-11 22216]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-10 91992]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-10 43224]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-10 67240]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
.
=============== Created Last 30 ================
.
2011-10-11 20:17:00 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-11 20:16:38 -------- d-----w- c:\documents and settings\student\application data\Malwarebytes
2011-10-11 20:16:28 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-11 20:16:23 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-11 20:16:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-11 19:38:32 -------- d-----w- c:\program files\STOPzilla!
2011-10-11 19:38:29 -------- d-----w- c:\program files\common files\iS3
2011-10-11 19:38:27 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
2011-10-11 19:32:31 -------- d-----w- c:\documents and settings\student\application data\hlIBrzPNy
2011-10-11 19:32:30 -------- d-----w- c:\documents and settings\student\application data\gZqhYXwkUrOtPuS
2011-10-06 16:05:49 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-10-06 15:58:46 -------- d-----w- c:\documents and settings\student\application data\sXqqjjYCekIBzO
2011-10-06 15:58:45 -------- d-----w- c:\documents and settings\student\application data\Y4aamHH6sWKfE9g
2011-10-06 15:58:32 2413056 ----a-w- c:\windows\system32\LA00uucS2ib3pG.exe
2011-10-06 15:58:32 -------- d-----w- c:\documents and settings\student\application data\cIIVrlOON
2011-09-28 21:58:02 22992 ----a-r- c:\windows\system32\SZIO5.dll
2011-09-28 21:58:02 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2011-09-28 21:58:00 546256 ----a-r- c:\windows\system32\SZComp5.dll
2011-09-28 21:58:00 480720 ----a-r- c:\windows\system32\SZBase5.dll
2011-09-28 21:58:00 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2011-09-28 21:58:00 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2011-09-28 21:57:58 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2011-09-28 21:57:58 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2011-09-28 21:57:58 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2011-09-28 21:57:58 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2011-09-28 21:57:56 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2011-09-28 21:57:56 230864 ----a-r- c:\windows\system32\IS3Win325.dll
.
==================== Find3M ====================
.
2011-09-27 02:54:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-16 21:48:30 59080 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
============= FINISH: 16:30:33.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:08 AM

Posted 14 October 2011 - 11:33 PM

mindylee,

To determine whether you are running a 32-bit or a 64-bit version of Windows XP, do the following:

Click Start > Run
In the Open area of the Run prompt, type: sysdm.cpl
Click OK

Click the General tab.
The operating system is displayed as follows:
◦For a 64-bit version, under System, the following appears: Windows XP Professional x64 Edition Version < Year>
◦For a 32-bit version, under System, the following appears: Windows XP Professional Version <Year>


Now, let's get to work...

The information provided shows characteristics of the ZeroAccess Rootkit.

First, let's take care of this file:
C:\WINDOWS\1393677029:439217836.exe


It throws a wrench in the works, and programs will not run successfully...

Please download DummyCreator.zip

Unzip the folder:
•Right-click and select: Extract all…
•Follow the prompts to extract

Open the new folder that appears on the Desktop:
•Double-click DummyCreator/DummyMaker to run the tool.

•Now, copy/paste the following into the blank area:

C:\WINDOWS\1393677029

•Press the Create button

•Save the content of the Result.txt to your Desktop, and post it in your reply.

Next, restart the computer!




Now, please download aswMBR

Save it to the Desktop.

Double-click aswMBR.exe to start the tool.
Click Scan

Upon completion of the scan, click ‘Save log’ and save it to the Desktop,

Note - Do NOT attempt any fix anything!!.

Please post the aswMBR log in your reply.



Also, you will notice that another file is created on the Desktop.
It is named MBR.dat.

Keep the file on the Desktop, and do not remove.

This is important, just in case we need to access the MBR information!!


However, do submit MBR.dat for analysis to VirusTotal


Use the 'Browse' button to navigate to the location of the file.
Click on the file, then, click the 'Open' button.
The file is now displayed in the Submit Box.

Scroll down and click 'Send File', and wait for the results
If you get a message saying: 'File has already been analyzed', click 'Reanalyze file now'
Once scanned, please provide the link to the results page in your reply.


Please do not run any malware removal programs while we are in the process of making malware repairs. Doing so may just make matters worse, and that, you do not want!

Thanks!

Old duck...


#3 mindylee

mindylee
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 19 December 2011 - 03:15 PM

Sorry for the delay. I was in the middle of my semester and did not have a moment to spare to work on this.
Okay, I ran DummyCreator just fine.
However, my computer was not letting me complete the aswMBR scan!
It did scan until a line flashed red pinpointing an infected file and I saved what I could and pasted that information below.
Here we go...


DummyCreator by Farbar
Ran by Student (administrator) on 19-12-2011 at 14:46:37
**************************************************************

C:\WINDOWS\1393677029 [19-12-2011 14:46:37]

== End of log ==



aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-19 15:02:20
-----------------------------
15:02:20.781 OS Version: Windows 5.1.2600 Service Pack 3
15:02:20.781 Number of processors: 2 586 0xE08
15:02:20.781 ComputerName: BRYANT-551462FA UserName: Student
15:02:25.562 Initialize success
15:02:31.359 AVAST engine defs: 11121900
15:02:34.828 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
15:02:34.875 Disk 0 Vendor: FUJITSU_ 0084 Size: 76319MB BusType: 3
15:02:34.953 Disk 0 MBR read successfully
15:02:35.000 Disk 0 MBR scan
15:02:35.093 Disk 0 unknown MBR code
15:02:35.140 Disk 0 scanning sectors +156295440
15:02:35.265 Disk 0 scanning C:\WINDOWS\system32\drivers
15:02:44.906 File: C:\WINDOWS\system32\drivers\mrxsmb.sys **INFECTED** Win32:Aluroot [Rtk]
15:02:48.250 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
15:02:48.390 The log file has been saved successfully to "E:\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-19 15:02:20
-----------------------------
15:02:20.781 OS Version: Windows 5.1.2600 Service Pack 3
15:02:20.781 Number of processors: 2 586 0xE08
15:02:20.781 ComputerName: BRYANT-551462FA UserName: Student
15:02:25.562 Initialize success
15:02:31.359 AVAST engine defs: 11121900
15:02:34.828 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
15:02:34.875 Disk 0 Vendor: FUJITSU_ 0084 Size: 76319MB BusType: 3
15:02:34.953 Disk 0 MBR read successfully
15:02:35.000 Disk 0 MBR scan
15:02:35.093 Disk 0 unknown MBR code
15:02:35.140 Disk 0 scanning sectors +156295440
15:02:35.265 Disk 0 scanning C:\WINDOWS\system32\drivers
15:02:44.906 File: C:\WINDOWS\system32\drivers\mrxsmb.sys **INFECTED** Win32:Aluroot [Rtk]
15:02:48.250 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
15:02:48.390 The log file has been saved successfully to "E:\aswMBR.txt"
15:02:52.828 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
15:02:52.828 The log file has been saved successfully to "E:\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-19 15:02:20
-----------------------------
15:02:20.781 OS Version: Windows 5.1.2600 Service Pack 3
15:02:20.781 Number of processors: 2 586 0xE08
15:02:20.781 ComputerName: BRYANT-551462FA UserName: Student
15:02:25.562 Initialize success
15:02:31.359 AVAST engine defs: 11121900
15:02:34.828 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
15:02:34.875 Disk 0 Vendor: FUJITSU_ 0084 Size: 76319MB BusType: 3
15:02:34.953 Disk 0 MBR read successfully
15:02:35.000 Disk 0 MBR scan
15:02:35.093 Disk 0 unknown MBR code
15:02:35.140 Disk 0 scanning sectors +156295440
15:02:35.265 Disk 0 scanning C:\WINDOWS\system32\drivers
15:02:44.906 File: C:\WINDOWS\system32\drivers\mrxsmb.sys **INFECTED** Win32:Aluroot [Rtk]
15:02:48.250 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
15:02:48.390 The log file has been saved successfully to "E:\aswMBR.txt"
15:02:52.828 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
15:02:52.828 The log file has been saved successfully to "E:\aswMBR.txt"
15:02:55.734 Service scanning
15:02:56.968 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
15:02:57.062 The log file has been saved successfully to "E:\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-19 15:03:21
-----------------------------
15:03:21.343 OS Version: Windows 5.1.2600 Service Pack 3
15:03:21.343 Number of processors: 2 586 0xE08
15:03:21.343 ComputerName: BRYANT-551462FA UserName: Student
15:03:21.625 Initialize success
15:03:27.484 AVAST engine defs: 11121900
15:03:28.640 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
15:03:28.687 Disk 0 Vendor: FUJITSU_ 0084 Size: 76319MB BusType: 3
15:03:28.750 Disk 0 MBR read successfully
15:03:28.796 Disk 0 MBR scan
15:03:28.875 Disk 0 unknown MBR code
15:03:28.937 Disk 0 scanning sectors +156295440
15:03:29.062 Disk 0 scanning C:\WINDOWS\system32\drivers
15:03:38.625 File: C:\WINDOWS\system32\drivers\mrxsmb.sys **INFECTED** Win32:Aluroot [Rtk]
15:03:41.515 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
15:03:41.531 The log file has been saved successfully to "E:\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-19 15:10:26
-----------------------------
15:10:26.078 OS Version: Windows 5.1.2600 Service Pack 3
15:10:26.078 Number of processors: 2 586 0xE08
15:10:26.078 ComputerName: BRYANT-551462FA UserName: Student
15:10:26.875 Initialize success
15:10:33.609 AVAST engine defs: 11121900
15:10:41.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
15:10:41.531 Disk 0 Vendor: FUJITSU_ 0084 Size: 76319MB BusType: 3
15:10:41.609 Disk 0 MBR read successfully
15:10:41.656 Disk 0 MBR scan
15:10:41.750 Disk 0 unknown MBR code
15:10:41.796 Disk 0 scanning sectors +156295440
15:10:41.921 Disk 0 scanning C:\WINDOWS\system32\drivers
15:10:51.562 File: C:\WINDOWS\system32\drivers\mrxsmb.sys **INFECTED** Win32:Aluroot [Rtk]
15:10:57.703 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
15:10:57.703 The log file has been saved successfully to "E:\aswMBR.txt"






Here's the link to virustotal:

http://www.virustotal.com/file-scan/report.html?id=752182a404d5efdea0fbc0d43fdf1592942c7461be4245d5a63e55c9c1fa2808-1324324665

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:08 AM

Posted 06 January 2012 - 02:20 AM

It has been quite a while...

My apology for the delay. Had no notification of your reply.

If you still need malware removal help, post back

Thanks.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users