Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR infection, not sure what it is


  • This topic is locked This topic is locked
4 replies to this topic

#1 cuppajoe2

cuppajoe2

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 25 September 2012 - 11:58 PM

Hello,
All three of my computers at home seem to be infected with the same thing (not sure what it is). I have a home network setup and I think they may have gotten infected through the router and my network perhaps. One computer is brand new, and when I was setting it up it started showing the same behavior as the other two. There seems to be someone else logged on as a user during the setup, and after the setup I am not allowed admin privledges, even though I created an admin account during setup. I can't download anything from my DVD/CD player, including security software. I can't change several of the settings on the computer, especially security related ones, and I am also having problems keeping settings once I have changed them (some of them revert back the next time I open up the process to check on the settings. There seems to be some kind of fake desktop, which I can move during setup if I open task manager while it says "devices are installing". I have spent hours trying to fix whatever it is with no success. I hope that someone knows what this might be infecting my computers and if it can be removed. Thank you for any help with this.

I am using Windows 7 on x64 laptop computers.

I tried to run GMER, but the only options given for the check boxes were services, registry, files, and drives C: and D:
The other areas were not enabled. Here is the log from GMER:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-25 21:55:30
Windows 6.1.7601 Service Pack 1
Running: gmer.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c01885ea0f8c
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\c01885ea0f8c (not active ControlSet)

---- EOF - GMER 1.0.15 ----

Thanks for your help. I really appreciate it.

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Administrator at 21:17:12 on 2012-09-25
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4007.2891 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\apple\mbamscheduler.exe
C:\apple\mbamservice.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\apple\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Sony\VAIO Smart Network\VSNService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: DhcpNameServer = 209.165.131.12 209.165.131.13
TCP: Interfaces\{DB3EF54A-85DA-4BE0-B8DD-C6283674CCC2} : DhcpNameServer = 209.165.131.12 209.165.131.13
TCP: Interfaces\{DDF14EDB-2F32-4BC3-A611-90677AE684EA} : DhcpNameServer = 209.165.131.12 209.165.131.13
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]
R0 Avgloga;AVG Logging Driver;C:\Windows\system32\DRIVERS\avgloga.sys --> C:\Windows\system32\DRIVERS\avgloga.sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R1 Avgfwfd;AVG network filter service;C:\Windows\system32\DRIVERS\avgfwd6a.sys --> C:\Windows\system32\DRIVERS\avgfwd6a.sys [?]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS\avgidsdrivera.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 MBAMScheduler;MBAMScheduler;C:\apple\mbamscheduler.exe [2012-9-20 399432]
R2 MBAMService;MBAMService;C:\apple\mbamservice.exe [2012-9-20 676936]
R2 VSNService;VSNService;C:\Program Files\Sony\VAIO Smart Network\VSNService.exe [2012-9-24 955832]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MEIx64;Intel® Management Engine Interface ;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\system32\DRIVERS\SFEP.sys --> C:\Windows\system32\DRIVERS\SFEP.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 avgfws;AVG Firewall;"C:\Documents and Settings\av\avgfws.exe" --> C:\Documents and Settings\av\avgfws.exe [?]
S2 AVGIDSAgent;AVGIDSAgent;"C:\Documents and Settings\av\avgidsagent.exe" --> C:\Documents and Settings\av\avgidsagent.exe [?]
S2 avgwd;AVG WatchDog;"C:\Documents and Settings\av\avgwdsvc.exe" --> C:\Documents and Settings\av\avgwdsvc.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y60x64.sys --> C:\Windows\system32\DRIVERS\e1y60x64.sys [?]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-6-1 340240]
S3 PORTMON;PORTMON;C:\SysinternalsSuite\PORTMSYS.SYS [2012-9-24 28656]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
.
=============== Created Last 30 ================
.
2012-09-26 01:10:38 9308616 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B667B178-41EB-4E84-9477-F598794986B9}\mpengine.dll
2012-09-25 17:03:26 552960 ----a-w- C:\Windows\System32\drivers\bthport.sys
2012-09-25 16:55:07 -------- d-sh--w- C:\$RECYCLE.BIN
2012-09-25 16:54:02 9308616 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-09-25 06:42:18 -------- d-----w- C:\Users\Administrator\AppData\Local\temp
2012-09-25 06:04:55 -------- d-----w- C:\fa883f5df1949098477c63
2012-09-25 05:57:37 20360 ----a-w- C:\Windows\System32\drivers\Dbgv.sys
2012-09-25 05:56:16 9308616 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2012-09-25 05:55:02 -------- d-----w- C:\SysinternalsSuite
2012-09-25 05:51:03 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-09-25 05:51:03 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-09-25 05:51:02 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-09-25 05:51:02 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-09-25 05:51:02 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-09-25 05:51:02 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-09-25 05:51:02 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-09-25 05:42:33 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-09-25 05:39:57 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-09-25 05:39:57 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-09-25 05:39:57 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-09-25 05:37:32 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-09-25 05:37:26 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-09-25 05:37:26 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-09-25 05:33:56 -------- d-----w- C:\Users\Administrator\AppData\Local\ElevatedDiagnostics
2012-09-25 05:28:53 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Intel
2012-09-25 05:28:46 -------- d-----w- C:\Users\Administrator\Roaming
2012-09-25 05:28:11 -------- d-----w- C:\Program Files\Common Files\Intel
2012-09-25 05:28:11 -------- d-----w- C:\Program Files (x86)\Cisco
2012-09-25 05:27:01 2212440 ----a-w- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts\tdsskiller.exe
2012-09-21 04:38:22 98816 ----a-w- C:\Windows\sed.exe
2012-09-21 04:38:22 518144 ----a-w- C:\Windows\SWREG.exe
2012-09-21 04:38:22 256000 ----a-w- C:\Windows\PEV.exe
2012-09-21 04:38:22 208896 ----a-w- C:\Windows\MBR.exe
2012-09-21 04:33:28 4757278 ------r- C:\ComboFix.exe
2012-09-21 04:32:29 1382912 ----a-w- C:\RogueKiller.exe
2012-09-21 04:28:03 607260 ------r- C:\dds.scr
2012-09-21 04:26:35 881724 ----a-w- C:\SecurityCheck.exe
2012-09-21 04:25:15 50477 ----a-w- C:\Defogger.exe
2012-09-21 04:18:32 -------- d-----w- C:\_OTL
2012-09-21 04:06:44 600576 ----a-w- C:\OTL.exe
2012-09-21 04:00:59 512737 ----a-w- C:\adwcleaner.exe
2012-09-21 00:51:00 -------- d-----w- C:\ProgramData\Malwarebytes
2012-09-21 00:38:25 -------- d-----w- C:\Users\Administrator\Temp
2012-09-21 00:37:34 -------- d-----w- C:\ProcessMonitor
2012-09-21 00:36:43 -------- d-----w- C:\Streams
2012-09-21 00:35:48 -------- d-----w- C:\Music
2012-09-21 00:34:22 -------- d-----w- C:\Administrator
2012-09-21 00:34:00 27016 ----a-w- C:\Windows\SysWow64\drivers\PROCEXP141.SYS
2012-09-21 00:24:22 -------- d-----w- C:\pstoo
2012-09-20 21:33:37 -------- d-----w- C:\Users\Administrator\AppData\Roaming\AVG2013
2012-09-20 21:33:14 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Malwarebytes
2012-09-20 21:33:08 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-09-20 21:33:08 -------- d-----w- C:\apple
2012-09-20 21:32:59 -------- d-----w- C:\Users\Administrator\AppData\Roaming\TuneUp Software
2012-09-20 21:32:48 -------- d-----w- C:\ProgramData\AVG2013
2012-09-20 21:29:40 -------- d-----w- C:\Users\Administrator\AppData\Local\MFAData
2012-09-20 21:29:40 -------- d-----w- C:\Users\Administrator\AppData\Local\Avg2013
2012-09-20 21:29:40 -------- d-----w- C:\ProgramData\MFAData
2012-09-20 21:29:40 -------- d-----w- C:\ProgramData\Common Files
2012-09-20 21:13:09 -------- d-----w- C:\ProgramData\Sony Corporation
2012-09-20 21:13:06 -------- d-----w- C:\Program Files\Sony
2012-09-20 21:12:36 557848 ----a-r- C:\Windows\System32\drivers\iaStor.sys
2012-09-18 01:58:54 56672 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
2012-09-14 12:34:34 105312 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2012-09-12 18:47:20 199520 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
2012-09-12 18:47:02 175968 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
.
==================== Find3M ====================
.
2012-08-24 10:31:32 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-08-24 10:21:18 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-08-24 10:20:11 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-08-24 10:14:45 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-08-24 10:13:29 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-08-24 10:09:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-08-24 06:59:17 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-08-22 18:12:50 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-08-22 18:12:40 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-08-13 23:40:52 150880 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
2012-08-10 11:52:16 40288 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
2012-08-09 20:56:42 230240 ----a-w- C:\Windows\System32\drivers\avgloga.sys
2012-08-02 17:58:52 574464 ----a-w- C:\Windows\System32\d3d10level9.dll
2012-08-02 16:57:20 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-04 22:13:27 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser.dll
2012-07-04 21:14:34 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-07-04 20:26:03 41472 ----a-w- C:\Windows\System32\drivers\RNDISMP.sys
.
============= FINISH: 21:17:24.21 ===============

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:15 PM

Posted 26 September 2012 - 03:12 PM

Good evening. :)

Assuming that the PC wasn't already infected when you bought it, which is unlikely I admit, I can see some possibilities:

You installed some software that was infected - you'll know whether you installed something to all the PCs.
You used an infected flashdrive to transfer files which infected the PC - sometimes infections can be passed just by plugging one in.
The nasty on one of your other PCs infected it via your router when you added it to the network.

If it was me I would disconnect one of your PCs from the network, wipe the hard drive using Darik's Boot and Nuke and then reinstall Windows and see how it behaved, all without connecting it to your network or using any flashdrive that you have connected to one of the infected PCs. Wiping the drive in this way should ensure that there can be no trace of anything left on the drive that could reinfect the system when you reinstall.

Assuming that this goes OK, and the above rules out everything except a BIOS infection as far as I can see, I would use a new flashdrive to transfer the installation file for an anti-virus, obtained from a legitimate site and downloaded onto a trusted PC, or use a disk that comes from a legitimate source, and get that up and running.

Finally I would reset the router using the reset "hole" that it should have to ensure that that hasn't been compromised in any way and, after re-entering the connection details from your ISP using the clean PC, connect to the internet and see how the PC behaves.

If the PC shows no sign of any issues after that, do the same thing with each of the other computers in turn.

So long, and thanks for all the fish.

 

 


#3 cuppajoe2

cuppajoe2
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 26 September 2012 - 08:11 PM

Thanks.
I'll wipe the first computer clean and re-install windows following your instructions. I didn't use a thumb drive, and I don't think Sony would send me a computer with a virus on it, so it must be the network. The only software I installed was Kaspersky security software from a CD that I purchased. The CD was in one of the other infected computers though. It's not possible for a virus, etc. to write to store bought anti-virus CD, is it? I will follow all of your suggestions and let you know how it goes. :thumbup2:

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:15 PM

Posted 27 September 2012 - 01:44 PM

Good evening. :)

It's not possible for a virus, etc. to write to store bought anti-virus CD, is it?

I wouldn't worry about that one.

I will follow all of your suggestions and let you know how it goes.

Grand, you've made me curious.

So long, and thanks for all the fish.

 

 


#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:15 PM

Posted 13 October 2012 - 02:25 PM

As there has been no response for sixteen days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users