Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible mbr.sys rootkit - hacker attack


  • Please log in to reply
1 reply to this topic

#1 gzgrrrl

gzgrrrl

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 27 April 2012 - 08:43 PM

I believe I have become the target of a hacker. I was having problems getting online and getting access to some websites (but not others) and my computer became quite slow whenever I was online. When I began trying to clean it I lost administrator privledges and began getting 'access denied' and 'exe. failed' windows - basically nothing worked. I was attempting to do a system restore when it froze up by saying I was low on virtual memory and so I had to shut it down and subsequently lost EXPLORER.exe in the process - so now nothing works, I just get a background pic and that's it.
So with that computer toast, I began using the other one in the home and it began experiencing the same problems. IE couldn't connect and something was attempting to modify ctfmon.exe, which was stopped. Also Winpatrol detected a change in the file HOSTS (C:\windows\system32\drivers\etc\hosts). When I ran GMER it showed a .text file called '...' with no value. I have rejected the change but the window continues to pop up every 5-10 mins.
I ran a RootRepeal and it shows a file called 'mbr.sys' that's not visible with no type (?) located at c:DOCUME~1\name\LOCALS~1\Temp\mbr.sys, and another one in the same location called 'pxdyipow.sys' (also not visible) that I could find NO information on that particular file anywhere.

Any help I can get removing this thing (rootkit?)from my computer would be greatly appreciated. Thanks to all.

Edited by gzgrrrl, 27 April 2012 - 08:46 PM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:25 PM

Posted 28 April 2012 - 07:56 PM

Hello and welcome to BleepingComputer! :)



I am Elle and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are used to identify the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that aspect. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me (link in the signature).
Do not forget to check your topic periodically and subscribe to it so that you can receive notifications regarding my replies.



Can you generate a log using this file ? If not, can you boot into Safe Mode and try running it from there? Tell me if you do not know how to access Safe Mode. :)



Thank you very much for your patience.




Regards,

Elle

Edited by Blind Faith, 28 April 2012 - 07:57 PM.

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users