Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Alureon


  • This topic is locked This topic is locked
41 replies to this topic

#1 JibberWacky

JibberWacky

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 24 December 2011 - 07:36 PM

A version of the Alureon trojan has infected my computer, which is running the 64 bit version of Window's Vista.

I am already running the most up to date Windows Defender firewall, but got careless and allowed this process in as three things naming themselves with 'vista' and 'Windows' in the title popped up. In retrospect, of course I realize that nothing that was actually from Windows would have triggered the firewall's alert.

I have purchased MalwareBytes recently and when scanning it says that the problem has been quarantined and removed, (C:/Windows/svc.exe) , but additional scans after restarting my computer as directed show the same thing as being infected.

I've run rkill several times to try and remove the problem in conjunction with MBAM and Windows Defender, with no success-and am on the 3rd downloading option on this site's list, as the first two seem to be recognized by the virus now.

I've managed to create a flash drive that my computer can boot to (at least the dialogue box said it was a success), but have either not been able to boot it succesfully so as to remove the virus, or I simply cannot do so.

Furthermore, my computer has an odd quirk (not a recent development, this has happened since its purchase) that will not run system repair when my computer has shut down unexpectedly- it simply doubles back to the option screen until I select 'Start Normally'.

I very much appreciate you taking the time to help dig me out of the 'hole of dumb' I've dug for myself.

Thank you very much for your help, and have a warm winter,

JibberWacky

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 AM

Posted 24 December 2011 - 09:45 PM

:welcome:

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 JibberWacky

JibberWacky
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 27 December 2011 - 06:02 PM

Hi!

Sorry for the late reply, I didn't think anyone would help me so quickly during the Christmas and New Year's week! Thank you very much.

Instructions were followed, but I realized click on the 'change parameters' option in the TDSSKiller tool's first window. As a result, I ran the tool a second time (after 'curing' and restarting my computer) so I've got 2 logs to post here.

I'm sorry about that- I hope it doesn't make it too much harder for you!

Once again, I really appreciate your help!

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 AM

Posted 27 December 2011 - 06:08 PM

There is a boot sector virus present.

Lets try to scan the computer using the Repair Console. You will need a USB Flashdrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JibberWacky

JibberWacky
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 27 December 2011 - 07:37 PM

Hi-

I was unable to follow these instructions.

I downloaded the FRST program to a flash drive, and was able to get to the Advanced Boot Options screen with no problems. Once I selected 'Repair Your Computer' things went wrong- there was no 'keyboard language' prompt. A screen came up with the 'Select Operating System' option- I selected Windows Vista, but then my computer booted up normally- taking me to the login screen.

Is my computer itself defective as well as infected?

Thanks,

JW

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 AM

Posted 27 December 2011 - 11:07 PM

Open a command prompt. Click on Start, type CMD on the search box, then right click on the CMD.exe that appear on the start menu and select "Run as an administrator". At the command prompt copy and paste the following command and press Enter:

bcdedit /enum all /v >"%userprofile%\desktop\bcd.txt"

Type Exit and press Enter to return to Windows.

That should create a file on the desktop labeled bcd.txt. Please post the contents of this file in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 JibberWacky

JibberWacky
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 28 December 2011 - 03:16 AM

Okay, that worked. Here's the body of text:


Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {eef02834-067f-11dd-9216-de94fb8b63e0}
resumeobject {eef02835-067f-11dd-9216-de94fb8b63e0}
displayorder {eef02834-067f-11dd-9216-de94fb8b63e0}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30
resume No

Windows Boot Loader
-------------------
identifier {572bcd55-ffa7-11d9-aae2-0007e994107d}
device partition=D:
path \windows\system32\boot\winload.exe
description Recovery Manager
osdevice partition=D:
systemroot \windows
nx OptIn
detecthal Yes
winpe Yes

Windows Boot Loader
-------------------
identifier {eef02834-067f-11dd-9216-de94fb8b63e0}
device partition=C:
path \Windows\system32\winload.exe
description Microsoft Windows Vista
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {572bcd55-ffa7-11d9-aae2-0007e994107d}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {eef02835-067f-11dd-9216-de94fb8b63e0}
nx OptIn

Resume from Hibernate
---------------------
identifier {eef02835-067f-11dd-9216-de94fb8b63e0}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

Windows Legacy OS Loader
------------------------
identifier {466f5a88-0af2-4f76-9038-095b170dc21c}
device unknown
path \ntldr
description Earlier Version of Windows

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}





Thanks!

JW

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 AM

Posted 28 December 2011 - 10:52 AM

Do you have an installation CD we can use as an alternate to the System Recovery Options?

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image

The tool will also produce a copy of the mbrdump labeled MBR.dat. Please upload that file here.

Edited by JSntgRvr, 28 December 2011 - 11:38 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 JibberWacky

JibberWacky
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 28 December 2011 - 03:25 PM

I don't have the Installation CD, my computer never came with it.

I tried running aswMBR, but it immediately crashed my computer! I haven't uninstalled it, but should I do so?

JW

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 AM

Posted 28 December 2011 - 05:00 PM

Right click on aswMBR.exe and select "Run as an administrator". Would it also crashes?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 AM

Posted 28 December 2011 - 05:29 PM

If no go, lets use this tool:

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Edited by JSntgRvr, 28 December 2011 - 05:36 PM.
typo

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 JibberWacky

JibberWacky
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 28 December 2011 - 06:20 PM

Okay, running aswMBR as an administrator caused my computer to shut itself down again, so I ran MBRCheck with no problems.

Here's the log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 64-bit
Base Board Manufacturer: Gateway
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Gateway
System Product Name: DX4200-UB001A
Logical Drives Mask: 0x000013fc

Kernel Drivers (total 156):
0x0304F000 \SystemRoot\system32\ntoskrnl.exe
0x03009000 \SystemRoot\system32\hal.dll
0x00609000 \SystemRoot\system32\kdcom.dll
0x00613000 \SystemRoot\system32\PSHED.dll
0x00627000 \SystemRoot\system32\CLFS.SYS
0x00684000 \SystemRoot\system32\CI.dll
0x00801000 \SystemRoot\system32\drivers\Wdf01000.sys
0x008DB000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x008E9000 \SystemRoot\system32\drivers\acpi.sys
0x0093F000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00948000 \SystemRoot\system32\drivers\msisadrv.sys
0x00952000 \SystemRoot\system32\drivers\pci.sys
0x00982000 \SystemRoot\System32\drivers\partmgr.sys
0x00997000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x0099B000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x009A7000 \SystemRoot\system32\drivers\volmgr.sys
0x00736000 \SystemRoot\System32\drivers\volmgrx.sys
0x009BB000 \SystemRoot\system32\drivers\pciide.sys
0x009C2000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x009D2000 \SystemRoot\System32\drivers\mountmgr.sys
0x009E5000 \SystemRoot\system32\drivers\atapi.sys
0x0079C000 \SystemRoot\system32\drivers\ataport.SYS
0x00A0A000 \SystemRoot\system32\drivers\fltmgr.sys
0x00A51000 \SystemRoot\system32\drivers\fileinfo.sys
0x00A65000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x00A72000 \SystemRoot\System32\Drivers\ksecdd.sys
0x00C0B000 \SystemRoot\system32\drivers\ndis.sys
0x00AF9000 \SystemRoot\system32\drivers\msrpc.sys
0x00B49000 \SystemRoot\system32\drivers\NETIO.SYS
0x00E0E000 \SystemRoot\System32\drivers\tcpip.sys
0x00F83000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01007000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01187000 \SystemRoot\system32\drivers\volsnap.sys
0x011CB000 \SystemRoot\System32\Drivers\spldr.sys
0x011D3000 \SystemRoot\System32\Drivers\mup.sys
0x00FAF000 \SystemRoot\System32\drivers\ecache.sys
0x011E5000 \SystemRoot\system32\drivers\disk.sys
0x00DCE000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x00FDB000 \SystemRoot\system32\drivers\crcdisk.sys
0x00BA2000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x00C00000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x00BAF000 \SystemRoot\system32\DRIVERS\processr.sys
0x02008000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x04601000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x02057000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x04F28000 \SystemRoot\System32\drivers\watchdog.sys
0x05005000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x050F2000 \SystemRoot\system32\DRIVERS\yk60x64.sys
0x05157000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x05169000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x05179000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x05195000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0x0519E000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x051A9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x051EF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x04F38000 \SystemRoot\system32\DRIVERS\parport.sys
0x04F54000 \SystemRoot\system32\DRIVERS\serial.sys
0x04F71000 \SystemRoot\system32\DRIVERS\serenum.sys
0x04F7D000 \SystemRoot\system32\DRIVERS\CAXHWBS2.sys
0x0213A000 \SystemRoot\system32\DRIVERS\ks.sys
0x0520F000 \SystemRoot\system32\DRIVERS\CAX_DPV.sys
0x05404000 \SystemRoot\system32\DRIVERS\CAX_CNXT.sys
0x054CF000 \SystemRoot\system32\drivers\modem.sys
0x054DE000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x05517000 \SystemRoot\system32\DRIVERS\storport.sys
0x05574000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x05581000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x055A4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x055B0000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x055E1000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x05381000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0539F000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x053B7000 \SystemRoot\system32\DRIVERS\termdd.sys
0x055F1000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x053CA000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x05400000 \SystemRoot\system32\DRIVERS\swenum.sys
0x053D6000 \SystemRoot\system32\DRIVERS\circlass.sys
0x053E7000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x04FEC000 \SystemRoot\system32\DRIVERS\amdiox64.sys
0x0216E000 \SystemRoot\system32\DRIVERS\umbus.sys
0x0217E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x021C6000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x00BC2000 \SystemRoot\system32\drivers\RtHDMIVX.sys
0x007C0000 \SystemRoot\system32\drivers\portcls.sys
0x021DA000 \SystemRoot\system32\drivers\drmk.sys
0x053F2000 \SystemRoot\system32\drivers\ksthunk.sys
0x06005000 \SystemRoot\system32\drivers\HdAudio.sys
0x0604E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x06058000 \SystemRoot\System32\Drivers\Null.SYS
0x0606C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x0608A000 \SystemRoot\System32\drivers\vga.sys
0x06098000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x060BD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x060C6000 \SystemRoot\system32\drivers\rdpencdd.sys
0x060CF000 \SystemRoot\System32\Drivers\Msfs.SYS
0x060DA000 \SystemRoot\System32\Drivers\Npfs.SYS
0x060EB000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x060F4000 \SystemRoot\system32\DRIVERS\tdx.sys
0x06111000 \SystemRoot\system32\DRIVERS\smb.sys
0x0612C000 \SystemRoot\system32\drivers\afd.sys
0x06197000 \SystemRoot\System32\DRIVERS\netbt.sys
0x061DB000 \SystemRoot\system32\DRIVERS\pacer.sys
0x06074000 \SystemRoot\system32\DRIVERS\netbios.sys
0x06203000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x0621E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x0626B000 \SystemRoot\system32\drivers\nsiproxy.sys
0x06277000 \SystemRoot\System32\Drivers\dfsc.sys
0x06294000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x062B0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x062B2000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x062C2000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x062CD000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x062E5000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x062EE000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x06300000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x0630B000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x06316000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x06332000 \SystemRoot\System32\Drivers\crashdmp.sys
0x06340000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x0634C000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x06354000 \SystemRoot\system32\DRIVERS\usbcir.sys
0x0636E000 \SystemRoot\system32\DRIVERS\hidir.sys
0x06379000 \SystemRoot\system32\drivers\RTSTOR64.SYS
0x00020000 \SystemRoot\System32\win32k.sys
0x0638D000 \SystemRoot\System32\drivers\Dxapi.sys
0x06399000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00400000 \SystemRoot\System32\TSDDD.dll
0x006D0000 \SystemRoot\System32\cdd.dll
0x063AC000 \SystemRoot\system32\drivers\luafv.sys
0x0780F000 \SystemRoot\system32\drivers\spsys.sys
0x078A9000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x078BD000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x078F1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x078FC000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x07914000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x0792D000 \SystemRoot\system32\drivers\HTTP.sys
0x079D0000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x063CE000 \SystemRoot\system32\DRIVERS\bowser.sys
0x00FE5000 \SystemRoot\System32\drivers\mpsdrv.sys
0x07E0A000 \SystemRoot\system32\drivers\mrxdav.sys
0x07E31000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x07E5A000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x07EA3000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x07EC2000 \SystemRoot\System32\DRIVERS\srv2.sys
0x07EF4000 \SystemRoot\System32\DRIVERS\srv.sys
0x07F87000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0x0860E000 \SystemRoot\system32\drivers\peauth.sys
0x086C4000 \SystemRoot\System32\Drivers\secdrv.SYS
0x086CF000 \SystemRoot\System32\drivers\tcpipreg.sys
0x086DF000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x086FF000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0x08715000 \SystemRoot\system32\DRIVERS\xaudio64.sys
0x0871D000 \SystemRoot\system32\DRIVERS\LVPr2M64.sys
0x08727000 \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS
0x08733000 \??\C:\Windows\system32\drivers\mbam.sys
0x772C0000 \Windows\System32\ntdll.dll

Processes (total 89):
0 System Idle Process
4 System
416 C:\Windows\System32\smss.exe
500 csrss.exe
564 C:\Windows\System32\wininit.exe
584 csrss.exe
620 C:\Windows\System32\services.exe
644 C:\Windows\System32\lsass.exe
656 C:\Windows\System32\lsm.exe
804 C:\Windows\System32\svchost.exe
868 C:\Windows\System32\svchost.exe
928 C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
940 C:\Windows\System32\svchost.exe
996 C:\Windows\System32\atiesrxx.exe
276 C:\Windows\System32\winlogon.exe
332 C:\Windows\System32\svchost.exe
352 C:\Windows\System32\svchost.exe
440 C:\Windows\System32\svchost.exe
676 C:\Windows\System32\audiodg.exe
648 C:\Windows\System32\svchost.exe
936 C:\Windows\System32\SLsvc.exe
1048 C:\Windows\System32\svchost.exe
1152 C:\Windows\System32\svchost.exe
1460 C:\Windows\System32\spoolsv.exe
1484 C:\Windows\System32\svchost.exe
1844 C:\Windows\System32\atieclxx.exe
1984 C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
2000 C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe
2032 C:\Program Files (x86)\Creative\Shared Files\CTDevSrv.exe
1072 C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
708 C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe
968 C:\Windows\System32\taskeng.exe
2084 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
2104 C:\Windows\System32\lxcjcoms.exe
2112 LVPrS64H.exe
2156 C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
2188 C:\Program Files\Common Files\Motive\McciCMService.exe
2216 C:\Program Files (x86)\Common Files\Motive\McciServiceHost.exe
2256 C:\Windows\System32\svchost.exe
2292 C:\Program Files (x86)\INTELLINET\Common\RalinkRegistryWriter.exe
2352 C:\Program Files (x86)\INTELLINET\Common\RalinkRegistryWriter64.exe
2380 C:\Windows\System32\svchost.exe
2408 C:\Windows\System32\svchost.exe
2444 C:\Windows\System32\SearchIndexer.exe
2548 C:\Windows\System32\drivers\XAudio64.exe
2564 C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
2576 WUDFHost.exe
2908 C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
796 WmiPrvSE.exe
3212 C:\Windows\System32\svchost.exe
3268 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
3968 C:\Windows\System32\taskeng.exe
3332 C:\Windows\System32\dwm.exe
3840 C:\Windows\explorer.exe
2776 C:\Program Files\Windows Defender\MSASCui.exe
3548 C:\Program Files\Creative\ZEN Media Explorer\CTCheck.exe
4060 C:\Program Files (x86)\Lexmark 8300 Series\lxcjmon.exe
3064 C:\Program Files (x86)\Lexmark 8300 Series\ezprint.exe
1796 C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
472 C:\Program Files\ATT-SST\McciTrayApp.exe
3084 C:\Windows\System32\spool\drivers\x64\3\EKIJ5000MUI.exe
2616 C:\Windows\ehome\ehtray.exe
3744 C:\Program Files (x86)\Creative\Sync Manager Unicode\CTSyncU.exe
3580 C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
1508 C:\Program Files (x86)\Logitech\Vid HD\Vid.exe
3136 C:\Program Files (x86)\Creative\Software Update 3\SoftAuto.exe
1776 C:\Program Files (x86)\IOI\Smart Copy\ButtonMonitor.exe
1764 C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
1640 C:\Program Files (x86)\Adobe\Reader 8.0\Reader\reader_sl.exe
1084 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
3668 C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
4104 C:\Program Files\Real\RealPlayer\Update\realsched.exe
4132 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
4176 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
4232 C:\Windows\SysWOW64\conime.exe
4296 C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
4392 C:\Program Files (x86)\Common Files\LogiShrd\LQCVFX\COCIManager.exe
4524 C:\Program Files\Windows Media Player\wmpnscfg.exe
3048 C:\Program Files\Windows Media Player\wmpnetwk.exe
4852 C:\Windows\System32\SearchProtocolHost.exe
4804 C:\Windows\System32\SearchFilterHost.exe
3276 C:\Windows\ehome\ehmsas.exe
4944 C:\Program Files (x86)\Internet Explorer\iexplore.exe
5100 C:\Program Files (x86)\Internet Explorer\iexplore.exe
4588 C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
4664 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
3844 C:\Program Files (x86)\Internet Explorer\iexplore.exe
5500 C:\Users\April rising\Desktop\MBRCheck.exe
5712 <unknown>

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`dfce4e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD6400AAKS-00A7B0, Rev: 01.03B01

Size Device Name MBR Status
--------------------------------------------
596 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!





Thanks,

JW

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 AM

Posted 28 December 2011 - 07:32 PM

Run MBRCheck.exe once again.

You will be presented with the following dialog:

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Enter Y and press Enter.

The following dialog will be presented:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:


Enter 1 and press Enter

The following dialog will be presented:

Enter the physical disk number to fix (0-99, -1 to cancel):


Enter 0 and press Enter

Note: It is zero (0)

The program will ask for the file name to dump to, type dump.dat and Press Enter. You should see a Dumped successfully message. Type -1 and press Enter twice to exit the program. Save the dump.dat file to your desktop then attach it on your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 JibberWacky

JibberWacky
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 29 December 2011 - 12:51 AM

I ran the tool twice more, both times showed me the window that I've attached in this response. No other prompt or dialog was presented.

JW

Attached Files


Edited by JibberWacky, 29 December 2011 - 12:52 AM.


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:10 AM

Posted 29 December 2011 - 01:04 AM

Let me consult these findings with the developer.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users