Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR rootkitted


  • Please log in to reply
2 replies to this topic

#1 Icanhazrootkit

Icanhazrootkit

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 31 October 2012 - 01:51 AM

I'm stuck having to use the accessability mouse keys to navigate as the mouse driver is dead on this system and the other system will only run in safe mode.

My wife is a Facebook enthusiast. a couple of nights ago her audio stopped working. I thought she might have mis-set something. She does that. A little while later she complained that her mouse stopped working. I replaced the mouse to no effect and tried to figure out what had gone wrong.
Shortly after that my own system began to behave badly, refusing to restart, and refusing to display explorer when booted.

I was able to get explorer to load by forcing it closed from taskman and then restarting it. The event logs are full of ...did not register with DCOM within... I tried to recover my system to discover that all my restore points were gone and the RP utility disabled. I then attempted to run numerous scans using Avast which showed trivial PUPs but no real threats. I attempted to repair my system using the XP install media and it could not find a valid partition and that is when I decided something was serious.

Please bear with me as both systems are crippled and getting exact word for word info requires some acrobatics when referring to my system. Let me know exactly what you need and I will try to get it in here with mouse-keys and some cursing.

For the moment I'll address only my wife's system (which I'm currently on) and try to get this one fixed before moving on to the other.

I found that her AVG registration had lapsed without her saying anything about it so I attempted to set Avast up for her and it immediately returned a notice that it was expired. So much for a free-for-personal demo-ware that can be disabled by malware before it can even run. bad show.

I then downloaded TDSKiller from a link here and RogueKiller as well... Both found problems but RogueKiller found non-trivial issues including ZeroAccess and MBR.0, both of which it claimed to fix and which do not show on later scans.

TDSKiller found w32/OnlineGames as well as a few PUPs.

Since I've already gone messing with this, I realize this may have made things more difficult, but I hope you can help me.
Her audio and mouse are still dead. Replacing hardware with hardware known to be working does not fix it. Replacing her PS2 mouse with a USB mouse does not return function.

In addit6ion her browser (Firefox) was hijacked by livesearchnow, making it cumbersome to search for help. I've locked the referrer out in Outpost, but the browser is still hijacked as I have not been able to search up the fix for that yet, and assume that fixing that is lower priority than getting her system healthy again.

The last thing I intend to do is secure a copy of her MBR before I sit on my hands and wait for help. I am out of my depth here but I'm reasonably computer literate and will try to follow your instructions to the letter.

UPDATE:
I've run aswMBR on both systems and saved copies of the boot records for both systems, both to the desktop and to a remote NAS (linux) for safe-keeping.

Edited by hamluis, 31 October 2012 - 08:03 AM.
Moved from XP to Am I Infected - Hamluis


BC AdBot (Login to Remove)

 


#2 Jimbob85

Jimbob85

  • Members
  • 308 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:VA, USA
  • Local time:06:32 PM

Posted 31 October 2012 - 08:22 AM

You have some NASTY stuff. Please follow the instructions below for BOTH computers, it will be less mess to deal with one at a time! You may want to one pc at a time. Don't assume that one fix will fix both, it may but it may also totally cripple another machine.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.



All so post all of your logs in that forum as well.

Edited by Jimbob85, 31 October 2012 - 08:23 AM.


#3 Icanhazrootkit

Icanhazrootkit
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 31 October 2012 - 10:47 AM

Thank you very much for pointing me in the right direction.
I have coffee, smokes, and a big bag of chips...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users