Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirects and fake security installs (possible rootkits)


  • This topic is locked This topic is locked
2 replies to this topic

#1 CHUPON

CHUPON

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 09 November 2011 - 09:21 PM

Hi,

I have an issue with a laptop of mine and I've tried some troubleshooting steps that have usually worked in the past, but this is proving a bit challenging. Things started when I noticed a fake anti-spyware program called System Restore which I promptly removed. While I was working to remove all traces another fake anti-spyware program called System Security 2012 popped up.

At this point I thought there was something in the MBR so I've focused my efforts there but have so far been unlucky. I can't seem to run TDSS Killer even if I rename it. MalWare Bytes has removed items but isn't reporting anything right now. I am not confident to bring this laptop online as it seems fine when it's not connected to the internet but seems to display infection symptoms when connected.

DDS doesn't want to end so I can't post a log. I get the following error wen I try to run GMER.

"LoadDriver("C:\DOCUME~1\<user>\LOCALS~1\temp\fgloapod.sys") error 0xC000010E: Cannot create a stable subkey under a volatile parent key."

As such I can't provide this log either.

If I boot into SafeMode I sometimes get a blue screen and sometimes it works just fine. Same for a normal boot. It seems to happen more when I have my USB stick plugged in when I reboot so I've been removing that each time.

If I try to boot to recovery mode it never seems to load. If I boot to a windows XP CD I can get to the repair option there but I haven't run anything yet.

I really don't want to format at this point so I'm looking for options.

Edit: I was able to get MBRCheck to run.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000ec

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.

Edited by CHUPON, 10 November 2011 - 10:36 AM.


BC AdBot (Login to Remove)

 


#2 CHUPON

CHUPON
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 10 November 2011 - 08:29 PM

Sorry but we can mark this as resolved. No assistance is required.

Thanks

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 13 November 2011 - 05:21 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users