Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible MBR rootkit

  • This topic is locked This topic is locked
5 replies to this topic

#1 everythinginane


  • Members
  • 8 posts
  • Local time:05:39 AM

Posted 16 March 2012 - 06:19 AM

I was referred here for deeper help, here is the first post of my original topic:

Every time I start up, Avast! shortly notifies me that it found a Rootkit. It says it can fix it, but then doesn't, and instead asks me to restart and allow it to scan before the computer boots up fully, which I tried but doesn't remove it either.

Using TDSS Killer, it identifies the Rootkit as "rootkit.boot.pihar.b" (but when that tries to cure, it says "Can't cure MBR. Write standard bootcode?" I select yes, it says "All threats neutralized", but the problem is still not resolved)

From there, and overall, I have run (many times):
TDSS Killer

have scanned with (numerous times):
MalwareBytes Anti-malware

None of this stops Avast! from notifying me of the Rootkit every time I restart.

I have two harddrives;
-I operate on Windows 7 64 bit
-On another harddrive I have another (corrupted) installation of Windows 7 64bit on one partition, and Windows XP on another partition on the same drive.
Effectively, I have a tri-boot system, and was wondering if this might possibly have something to do with TDSS Killer saying it "Can't cure MBR"?

I was told to include this part of that topic, as well:

ran mbr.exe -f, Here's the log:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600

device: opened successfully
user: error reading MBR
error: Read The handle is invalid.
kernel: error reading MBR

I created a DDS log, see below.
I am running windows 7 64bit, I was told to skip creating a GMER log if I was running 64 bit. So I did.

here's the DDS log -

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_27
Run by Ben at 7:03:21 on 2012-03-16
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6142.3331 [GMT -4:00]
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\AIM\aim.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\Last.fm\LastFM.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
D:\Program Files (x86)\Adobe\Adobe Photoshop CS5\Photoshop.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
c:\program files\windows defender\MpCmdRun.exe
============== Pseudo HJT Report ===============
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer =
TCP: Interfaces\{378A700C-9D1B-4F82-B4CB-AF44E7BA9BB5} : DhcpNameServer =
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
================= FIREFOX ===================
FF - ProfilePath - C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\xp3gkyhz.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Users\Ben\AppData\Local\Google\Update\\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-12-18 44768]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-2-19 366152]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-3-12 2348352]
R2 PanService;PandoraService;C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe [2012-2-12 1867480]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-2-9 382272]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM 64 bit;C:\Windows\system32\drivers\Envy24HF.sys --> C:\Windows\system32\drivers\Envy24HF.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Jukebox3_x64;Jukebox3_x64;C:\Windows\system32\DRIVERS\ctpdusbx.sys --> C:\Windows\system32\DRIVERS\ctpdusbx.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
=============== Created Last 30 ================
2012-03-16 06:46:24 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F616DB96-6F1A-4D84-B04F-91F703093639}\offreg.dll
2012-03-16 06:44:40 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F616DB96-6F1A-4D84-B04F-91F703093639}\mpengine.dll
2012-03-14 01:06:55 5504880 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-14 01:06:54 3957616 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-14 01:06:52 3902320 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-13 20:31:37 3143168 ----a-w- C:\Windows\System32\win32k.sys
2012-03-13 20:31:33 1541120 ----a-w- C:\Windows\System32\DWrite.dll
2012-03-13 20:31:33 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-13 20:31:32 320512 ----a-w- C:\Windows\System32\d3d10_1core.dll
2012-03-13 20:31:32 218624 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2012-03-13 20:31:31 902656 ----a-w- C:\Windows\System32\d2d1.dll
2012-03-13 20:31:31 1837568 ----a-w- C:\Windows\System32\d3d10warp.dll
2012-03-13 20:31:31 1170944 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2012-03-13 20:31:30 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-03-13 20:31:30 197120 ----a-w- C:\Windows\System32\d3d10_1.dll
2012-03-13 20:31:30 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2012-03-13 20:30:07 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-13 20:30:07 76288 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-13 20:30:07 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-13 20:30:03 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-03-13 20:30:02 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-13 20:30:02 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-13 20:30:02 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-12 11:27:26 -------- d-----w- C:\Users\Ben\AppData\Roaming\NVIDIA
2012-03-12 09:50:00 -------- d-----w- C:\SwSetup
2012-03-12 06:17:22 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
2012-03-12 06:17:05 63296 ----a-w- C:\Windows\System32\nvshext.dll
2012-03-12 06:17:04 889664 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-03-12 06:17:04 6074176 ----a-w- C:\Windows\System32\nvcpl.dll
2012-03-12 06:17:04 3089728 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-03-12 06:17:04 118080 ----a-w- C:\Windows\System32\nvmctray.dll
2012-03-12 06:16:17 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2012-03-12 06:14:58 -------- d-----w- C:\NVIDIA
2012-03-09 05:08:45 -------- d-----w- C:\Program Files (x86)\Myst III Exile
2012-03-09 05:08:29 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2012-03-09 05:08:29 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2012-03-09 05:08:29 221184 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2012-03-09 05:08:29 221184 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2012-03-07 04:22:56 162664 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
2012-02-29 04:29:59 89088 ----a-w- C:\mbr.exe
2012-02-24 21:42:10 -------- d-sh--w- C:\$RECYCLE.BIN
2012-02-24 19:55:53 98816 ----a-w- C:\Windows\sed.exe
2012-02-24 19:55:53 518144 ----a-w- C:\Windows\SWREG.exe
2012-02-24 19:55:53 256000 ----a-w- C:\Windows\PEV.exe
2012-02-24 19:55:53 208896 ----a-w- C:\Windows\MBR.exe
2012-02-23 13:26:12 -------- d-----w- C:\Users\Ben\AppData\Roaming\SUPERAntiSpyware.com
2012-02-23 13:25:35 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-02-23 13:25:35 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-02-22 09:32:05 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-21 10:51:27 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
2012-02-21 10:51:27 634368 ----a-w- C:\Windows\System32\msvcrt.dll
2012-02-20 07:00:10 515584 ----a-w- C:\Windows\System32\timedate.cpl
2012-02-20 07:00:10 478208 ----a-w- C:\Windows\SysWow64\timedate.cpl
2012-02-20 06:59:58 499200 ----a-w- C:\Windows\System32\drivers\afd.sys
2012-02-16 17:58:34 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-02-16 17:58:34 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
==================== Find3M ====================
2012-02-23 14:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-12 12:56:16 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-10 00:05:44 416064 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2011-12-28 00:24:56 368640 ----a-w- C:\Windows\SysWow64\ReWire.dll
2011-12-28 00:24:56 233472 ----a-w- C:\Windows\SysWow64\REX Shared Library.dll
2003-05-29 12:50:58 94208 ----a-w- C:\Program Files (x86)\WinDV.exe
============= FINISH: 7:06:20.73 ===============


Attached Files

Edited by everythinginane, 16 March 2012 - 06:22 AM.

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:10:39 AM

Posted 18 March 2012 - 07:33 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 everythinginane

  • Topic Starter

  • Members
  • 8 posts
  • Local time:05:39 AM

Posted 21 March 2012 - 11:45 PM

here I am! Subscribed.

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:10:39 AM

Posted 22 March 2012 - 05:51 PM

Pihar is not nice and so we need to boot the machine away from Windows to get some proper results to go on

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download dumpit to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#5 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:10:39 AM

Posted 25 March 2012 - 07:48 PM


I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.


Posted Image
m0le is a proud member of UNITE

#6 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:10:39 AM

Posted 26 March 2012 - 07:38 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users