Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removed Bootkit...is it clean?


  • This topic is locked This topic is locked
12 replies to this topic

#1 dherzog02

dherzog02

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 12 March 2012 - 11:15 PM

I am working on a friend's computer. After running an online scan (I think it was Symantec or Kaspersky) I saw several dozen threats detected. Trying to take the easy way out I backed up the data and went to the Recovery console, restored the system to factory defaults. She didn't have much on the system. It was reinfected immediately which made me do a search for how that can happen. I hadn't encountered "bootkits" before but it sounded like what I had and saw several recommendations to try TDSSkiller so I ran that. It found a problem with the MBR. I selected the "Cure" option.

So now it appears that all of the prior symptoms are gone. I have also run several scans (MalwareBytes, Symantec online scanner) and everything comes up clean except the quarantine from TDSSKiller. Unfortunately, I cannot boot to the recovery partition any more. When I try that, I receive the error:

Stop: 0xc0000218 {Registry File Failure}
The registry cannot load the hive (file)

I don't think that is caused by Maleware but either way I want to be certain this computer is clean before I return it to the owner.

Thanks,
Donald

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6001.18000
Run by missyclm11 at 19:35:39 on 2012-03-12
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.1791.773 [GMT -7:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Windows\system32\taskeng.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\System32\wsqmcons.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
mRun: [Skytel] Skytel.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [Setresolution] c:\acersw\config\1440x900.cmd
mRun: [Apanel] c:\acersw\config\SetApanel.cmd
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [eRecoveryService]
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\missyc~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\acerpr~1.lnk - c:\program files\acer registration\ACE1.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E18E4F40-05F5-4E1C-8DCE-C1EFA89EA173} : DhcpNameServer = 192.168.1.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
.
============= SERVICES / DRIVERS ===============
.
R1 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-3-19 201288]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2008-3-19 269448]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-3-19 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-3-19 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-3-19 695624]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-3-19 79304]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-3-19 35240]
R3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2008-3-19 40488]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-3-11 136176]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2012-3-6 88176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-3-11 136176]
S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2008-3-19 33800]
.
=============== Created Last 30 ================
.
2012-03-13 01:48:55 -------- d-----w- c:\program files\MSXML 4.0
2012-03-12 06:05:05 310784 ----a-w- c:\windows\system32\unregmp2.exe
2012-03-12 06:05:05 1418752 ----a-w- c:\program files\windows media player\setup_wm.exe
2012-03-12 06:04:59 7680 ----a-w- c:\windows\system32\spwmp.dll
2012-03-12 06:04:59 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2012-03-12 06:04:59 107520 ----a-w- c:\program files\windows media player\wmpshare.exe
2012-03-12 06:04:58 107520 ----a-w- c:\program files\windows media player\wmpconfig.exe
2012-03-12 06:04:57 4096 ----a-w- c:\windows\system32\dxmasf.dll
2012-03-12 06:04:56 4096 ----a-w- c:\windows\system32\msdxm.ocx
2012-03-12 06:04:55 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2012-03-12 05:47:47 2421760 ----a-w- c:\windows\system32\wucltux.dll
2012-03-12 05:47:23 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-03-12 05:47:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2012-03-12 05:35:38 -------- d-----w- c:\users\missyclm11\appdata\roaming\Malwarebytes
2012-03-12 05:35:29 -------- d-----w- c:\programdata\Malwarebytes
2012-03-12 05:35:28 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-12 05:35:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-12 04:21:31 6080 ----a-w- c:\windows\system32\drivers\zntport.sys
2012-03-12 04:20:34 14544 ----a-w- c:\windows\system32\drivers\TVicPort.sys
2012-03-12 04:19:00 6144 ----a-w- c:\windows\system32\drivers\NTIDrvr.sys
2012-03-12 03:21:10 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-12 00:57:10 -------- d-----w- c:\users\missyclm11\appdata\local\Google
2012-03-12 00:49:00 -------- d-----w- c:\users\missyclm11\appdata\local\Adobe
2012-03-06 14:28:56 187392 ----a-w- c:\windows\Acer(Normal).scr
2012-03-06 14:28:55 187392 ----a-w- c:\windows\Acer(Wide).scr
2012-03-06 14:28:55 -------- d-----w- c:\windows\Acer_Wide
2012-03-06 14:28:55 -------- d-----w- c:\program files\Acer Inc
2012-03-06 14:28:43 -------- d-----w- c:\windows\Acer_Normal
2012-03-06 14:26:55 368640 ----a-w- c:\windows\system32\CheckD2DSystem.exe
2012-03-06 14:26:55 327680 ----a-w- c:\windows\system32\Remove_eRecovery.exe
2012-03-06 14:26:55 16384 ----a-w- c:\windows\system32\LauncheRyAgentUser.exe
2012-03-06 14:26:55 16384 ----a-w- c:\windows\system32\ClearEvent.exe
2012-03-06 14:25:16 98360 ----a-w- c:\windows\system32\hcwi2c32.dll
2012-03-06 14:25:16 36921 ----a-w- c:\windows\system32\hcwutl32_priv.dll
2012-03-06 14:25:16 36921 ----a-w- c:\windows\system32\hcwutl32.dll
2012-03-06 14:25:16 262200 ----a-w- c:\windows\system32\hcwpnp32_priv.dll
2012-03-06 14:25:16 262200 ----a-w- c:\windows\system32\hcwpnp32.dll
2012-03-06 14:24:10 -------- d-----w- c:\users\missyclm11\appdata\local\ATI
2012-03-06 14:23:50 -------- d-----w- c:\users\missyclm11\appdata\roaming\Acer
2012-03-06 08:27:40 -------- d-----w- c:\program files\YUAN
2012-03-06 08:23:32 -------- d-----w- c:\program files\ATI Technologies
2012-03-06 08:22:49 -------- d-----w- c:\program files\ATI
2012-03-06 08:21:42 -------- d-----w- c:\program files\Acer Assist
2012-03-06 08:21:41 -------- d-----w- c:\program files\Acer Registration
2012-03-06 08:19:13 -------- d-----w- c:\users\missyclm11\appdata\local\PowerCinema
2012-03-06 08:18:57 -------- d-sh--w- C:\$RECYCLE.BIN
2012-03-06 08:16:22 1822720 ----a-w- c:\windows\SkyTel.exe
2012-03-06 08:16:22 135168 ----a-w- c:\windows\system32\SRSWOW.dll
2012-03-06 08:16:21 532480 ----a-w- c:\windows\system32\RTSndMgr.cpl
2012-03-06 08:16:21 495104 ----a-w- c:\windows\system32\RtkPgExt.dll
2012-03-06 08:16:21 1761696 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
2012-03-06 08:16:20 4423680 ----a-w- c:\windows\RtHDVCpl.exe
2012-03-06 07:01:07 -------- d-----w- c:\program files\Motorola
.
==================== Find3M ====================
.
2012-03-06 08:16:24 319456 ----a-w- c:\windows\DIFxAPI.dll
2012-03-06 07:43:40 1692 ----a-w- c:\windows\CLEANUP.CMD
.
============= FINISH: 19:36:41.83 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:35 AM

Posted 14 March 2012 - 02:00 PM

Hello, and welcome to BleepingComputer.

This is something that can happen after curing the MBR. Do you have the original Vista DVD?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 dherzog02

dherzog02
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 14 March 2012 - 08:05 PM

Unfortunately no. The computer didn't come with one...Acer just settled a lawsuit about this issue but the deadline just passed to get a recovery DVD.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:35 AM

Posted 15 March 2012 - 03:50 AM

As a bootkit was present it is very hard to recover access to the recovery partition without DVD.

  • Please download MBRScan and save it to your desktop.
  • Doubleclick on MBRScan.exe and click the Report button. (Vista and Windows 7 Users, right click on MBRScan and then click on run as administrator).
  • Please don't use the computer while the scan is running. The computer may not respond until the scan is done. Please be patient and don't force a restart of the computer.
  • When the scan is finished, a log file will appear.
  • Save that log file to your desktop and post its content in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 dherzog02

dherzog02
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 15 March 2012 - 08:17 PM

It only took a few seconds, I assume that is normal?

MBRScan v1.1.1

OS             : Windows Vista Service Pack 1 (32 bit)
PROCESSOR      : x86 Family 15 Model 107 Stepping 2, AuthenticAMD
BOOT           : Normal Boot
DATE           : 2012/03/15 (ISO 8601) at 18:13:44
________________________________________________________________________________

DISK           : Device\Harddisk0\DR0 __ST3320820AS (3.AAD)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : NO
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

DISK           : Device\Harddisk1\DR1 __UFD USB Flash Drive (1100)
BUS_TYPE       : (0x07)  USB
USE_PIO        : NO
MAX_TRANSFER   : 64 Kb
ALIGNMENT_MASK : byte aligned
________________________________________________________________________________

Device\Harddisk0\DR0	298.1 Go  [Fixed] ==> Acer Recovery

MBR_MD5   : 3AC60F6ABA49F51C6AFC6D39B81F8B1E
MBR_SHA1  : 859DBD56C7395E3DDBA36268AAAB3CC302E4D484

Device\Harddisk0\Partition1	9.76 Go  	0x27 RE Hidden partition 
Device\Harddisk0\Partition2	144.3 Go  	0x06 FAT16  __ BOOTABLE __
Device\Harddisk0\Partition3	144.0 Go  	0x07 NTFS / HPFS
________________________________________________________________________________

Device\Harddisk1\DR1	3.73 Go  [Removable] ==> Unknown MBR Code

MBR_MD5   : DEFADE3FB1040F3406C6F62C0CCF4031
MBR_SHA1  : A8AC61758A1E5F63FE77DD65D0BAAEE616031C2D

Device\Harddisk1\Partition1	3.73 Go  	0x0C FAT32 [LBA]  __ BOOTABLE __
________________________________________________________________________________

############################### Additional scan ################################

DRIVER  : C:\Windows\System32\Drivers\dump_dumpata.sys => Invisible on the disk
ADDRESS : 0x8D75F000
SIZE    : 44.0 Ko

DRIVER  : C:\Windows\System32\Drivers\dump_atapi.sys => Invisible on the disk
ADDRESS : 0x8D76A000
SIZE    : 32.0 Ko

BCD EmsSettings {0CE4991B-E6B3-4B16-B23C-5E0D9250E5D9} => BcdLibraryBoolean_EmsEnabled (16000020)

SystemStartOptions : /NOEXECUTE=OPTIN

________________________________________________________________________________

_______MBR   \Device\Harddisk0\DR0  

0x00000000   31 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   1.м.|P.P..|
0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BF 05 00 31 C0   ..PW.˿..1
0x00000020   B2 80 CD 13 73 07 4F 74 02 EB F3 EB FE BD 88 07   ..s.Ot...
0x00000030   80 7E 00 5A 74 54 F8 B8 10 96 B3 15 CD 15 72 16   .~.ZtT....r.
0x00000040   81 F9 00 00 74 2B F8 B8 10 96 B3 16 CD 15 72 06   ...t+....r.
0x00000050   81 F9 01 00 74 1B F8 B8 10 96 B3 18 CD 15 72 06   ...t.....r.
0x00000060   81 F9 01 00 75 24 F8 B8 81 CA CD 15 80 FA 01 74   ...u$....t
0x00000070   19 BE BE 07 B1 04 38 2C 7C 08 75 0B 81 C6 10 00   ...8,|.u....
0x00000080   E2 F4 89 F5 E9 6F 00 E9 69 00 BD BE 07 66 8B 5E   .o.i..f.^
0x00000090   08 60 68 00 00 68 00 00 66 53 68 00 00 68 00 7C   .`h..h..fSh..h.|
0x000000A0   68 01 00 68 10 00 B4 42 B2 80 89 E6 CD 13 61 61   h..h..B...aa
0x000000B0   73 0B 4F 74 08 30 E4 B2 80 CD 13 EB CD E8 7B 00   s.Ot.0..{.
0x000000C0   BD BE 7F C6 46 00 80 C6 46 10 00 C6 46 20 00 C6   .F..F..F .
0x000000D0   46 04 0B A0 89 7F A8 04 74 04 80 4E 24 10 A0 89   F......t..N$...
0x000000E0   7F A8 08 74 04 80 4E 34 10 E8 72 00 68 00 00 68   ..t..N4.r.h..h
0x000000F0   00 7C CB BD CE 07 66 8B 5E 08 60 68 00 00 68 00   .|˽.f.^.`h..h.
0x00000100   00 66 53 68 00 00 68 00 7C 68 01 00 68 10 00 B4   .fSh..h.|h..h..
0x00000110   42 B2 80 89 E6 CD 13 61 61 73 0B 4F 74 08 30 E4   B...aas.Ot.0
0x00000120   B2 80 CD 13 EB CD E8 12 00 BD BE 7F 80 7E 04 27   ......~.'
0x00000130   74 BA C6 46 04 27 E8 25 00 EB B1 BF 05 00 31 C0   tF.'%.뱿..1
0x00000140   8E C0 BB 00 7E B8 01 02 B5 00 B1 01 B6 00 B2 80   ..~......
0x00000150   CD 13 73 09 4F 74 06 30 E4 CD 0D EB DE C3 BF 05   .s.Ot.0.ÿ.
0x00000160   00 31 C0 8E C0 BB 00 7E B8 01 03 B5 00 B1 01 B6   .1..~....
0x00000170   00 B2 80 CD 13 73 09 4F 74 06 30 E4 CD 0D EB DE   ...s.Ot.0.
0x00000180   C3 00 00 41 63 65 72 2E 33 00 00 73 79 73 74 65   ..Acer.3..syste
0x00000190   6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   m...............
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 00 00 00 0B 40 C0 6B 00 00 00 01   .........@k....
0x000001C0   01 00 27 FE FF FF 3F 00 00 00 3B 4C 38 01 80 FE   ..'..?...;L8..
0x000001D0   FF FF 06 FE FF FF 00 50 38 01 00 68 09 12 00 FE   ......P8..h...
0x000001E0   FF FF 07 FE FF FF 00 B8 41 13 00 28 01 12 00 00   ......A..(....
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............U

_______MBR   \Device\Harddisk1\DR1  

0x00000000   33 C0 FA 8E D8 8E D0 BC 00 7C 89 E6 06 57 8E C0   3..м.|..W.
0x00000010   FB FC BF 00 06 B9 00 01 F3 A5 EA 1F 06 00 00 52   ........R
0x00000020   52 B4 41 BB AA 55 31 C9 30 F6 F9 CD 13 72 13 81   RAU10.r..
0x00000030   FB 55 AA 75 0D D1 E9 73 09 66 C7 06 8D 06 B4 42   Uu.s.f...B
0x00000040   EB 15 5A B4 08 CD 13 83 E1 3F 51 0F B6 C6 40 F7   .Z...?Q.@
0x00000050   E1 52 50 66 31 C0 66 99 E8 66 00 E8 21 01 4D 69   RPf1f.f.!.Mi
0x00000060   73 73 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20   ssing operating 
0x00000070   73 79 73 74 65 6D 2E 0D 0A 66 60 66 31 D2 BB 00   system...f`f1һ.
0x00000080   7C 66 52 66 50 06 53 6A 01 6A 10 89 E6 66 F7 36   |fRfP.Sj.j..f6
0x00000090   F4 7B C0 E4 06 88 E1 88 C5 92 F6 36 F8 7B 88 C6   {....6{.
0x000000A0   08 E1 41 B8 01 02 8A 16 FA 7B CD 13 8D 64 10 66   .A....{..d.f
0x000000B0   61 C3 E8 C4 FF BE BE 7D BF BE 07 B9 20 00 F3 A5   a.}. .
0x000000C0   C3 66 60 89 E5 BB BE 07 B9 04 00 31 C0 53 51 F6   f`.廾...1SQ
0x000000D0   07 80 74 03 40 89 DE 83 C3 10 E2 F3 48 74 5B 79   ..t.@...Ht[y
0x000000E0   39 59 5B 8A 47 04 3C 0F 74 06 24 7F 3C 05 75 22   9Y[.G.<.t.$.<.u"
0x000000F0   66 8B 47 08 66 8B 56 14 66 01 D0 66 21 D2 75 03   f.G.f.V.f.f!u.
0x00000100   66 89 C2 E8 AC FF 72 03 E8 B6 FF 66 8B 46 1C E8   f..r..f.F.
0x00000110   A0 FF 83 C3 10 E2 CC 66 61 C3 E8 62 00 4D 75 6C   ....fab.Mul
0x00000120   74 69 70 6C 65 20 61 63 74 69 76 65 20 70 61 72   tiple active par
0x00000130   74 69 74 69 6F 6E 73 2E 0D 0A 66 8B 44 08 66 03   titions...f.D.f.
0x00000140   46 1C 66 89 44 08 E8 30 FF 72 13 81 3E FE 7D 55   F.f.D.0.r..>}U
0x00000150   AA 0F 85 06 FF BC FA 7B 5A 5F 07 FA FF E4 E8 1E   ....{Z_...
0x00000160   00 4F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65   .Operating syste
0x00000170   6D 20 6C 6F 61 64 20 65 72 72 6F 72 2E 0D 0A 5E   m load error...^
0x00000180   AC B4 0E 8A 3E 62 04 B3 07 CD 10 3C 0A 75 F1 CD   ..>b...<.u
0x00000190   18 F4 EB FD 00 00 00 00 00 00 00 00 00 00 00 00   .............
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 00 00 00 18 2E 07 C3 00 00 80 01   ...............
0x000001C0   01 00 0C 7F D6 CA 68 04 00 00 98 7B 77 00 00 00   ....h....{w...
0x000001D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............U


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:35 AM

Posted 16 March 2012 - 03:58 AM

I'd like to see an offline MBR dump here as well.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 dherzog02

dherzog02
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 16 March 2012 - 04:37 AM

OK, thanks!

Attached Files

  • Attached File  mbr.zip   460bytes   2 downloads


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:35 AM

Posted 16 March 2012 - 05:34 AM

The recovery partition is still present, problem is, if you boot from it you'll only have the option to do a recovery, nothing else. So, either you do that and restore to factory settings, or you leave things as they are now and continue to use windows as it is now. You can always do a recovery, but you'll need to adjust which partition is bootable manually to be able to access it.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 dherzog02

dherzog02
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 16 March 2012 - 10:07 AM

OK, I've done that before so that shouldn't be a problem. Otherwise everything looks clean right?

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:35 AM

Posted 16 March 2012 - 10:12 AM

Yes, besides that everything is clean. Note that Vista is outdated and will need to be updated so the computer will be protected against the latest exploits.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 dherzog02

dherzog02
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 16 March 2012 - 10:23 AM

OK, thanks for all your help!

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:35 AM

Posted 16 March 2012 - 10:49 AM

You are welcome. :)

Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:35 AM

Posted 20 March 2012 - 09:33 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users