Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown MBR code & problems with up to 9000 htfs streams


  • Please log in to reply
No replies to this topic

#1 drcrpsych

drcrpsych

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cairns, Queensland, Australia
  • Local time:09:56 AM

Posted 11 January 2014 - 07:31 PM

I believe I have been hacked and keep getting the above problems.

I ran a GMER scan which told me that i have an unknown MBR code (this has also been confirmed by other scans from Hirens Boot CD programs) the GMER scan also indicates c:/windows/system32/config/system cannot be accessed because it is being used by another program. similar messages come up with ntuser.dat 

I have recently reset this computer (which is an Acer laptop 64bit running win8) and have only basic programs on it with 406g free of 449g hd, yet the pc is running incredibly slowly.

when i access disk management apart from the c drive which it tells me is simple: basic ntfs 449.14g there are three other drives all of which are simple: basic and no file system, one is a recovery partition of 400mg, another is the efi system partition of 300mg and there is another rcovery partition of 15.8g.

I have pasted the gmer readout below and below that the alternate stream view ntfs (which I have never setup - some of which may be legit but others of which I suspect are not)

I have a text file which is a report of some 9395 alternate streams on my computer about which i have no knowledge in terms of setting up etc but was unable to upload. if required can email or find another way of providing such information.

any assistance will be greatly appreciated

chris

 

******************************************************************************************

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2014-01-12 09:55:33
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000034 WDC_WD5000LPVX-22V0TT0 rev.01.01A01 465.76GB
Running: wx696i1p.exe; Driver: C:\Users\CR\AppData\Local\Temp\pglorpob.sys
 
 
---- User code sections - GMER 2.1 ----
 
.text   C:\Windows\system32\dwm.exe[372] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                           000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\system32\dwm.exe[372] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                           000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\system32\dwm.exe[372] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                         000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files\Elantech\ETDCtrl.exe[3184] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files\Elantech\ETDCtrl.exe[3184] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files\Elantech\ETDCtrl.exe[3184] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                              000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\system32\taskhostex.exe[3200] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                   000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\system32\taskhostex.exe[3200] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                   000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\system32\taskhostex.exe[3200] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                 000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\Explorer.EXE[3352] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                              000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\Explorer.EXE[3352] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                              000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\Explorer.EXE[3352] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                            000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files\Elantech\ETDCtrlHelper.exe[3928] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                          000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files\Elantech\ETDCtrlHelper.exe[3928] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                          000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files\Elantech\ETDCtrlHelper.exe[3928] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                        000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\system32\wbem\unsecapp.exe[3012] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\system32\wbem\unsecapp.exe[3012] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\system32\wbem\unsecapp.exe[3012] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                              000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe[3896] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                   000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe[3896] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                   000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe[3896] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                 000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\System32\igfxtray.exe[4148] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                     000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\System32\igfxtray.exe[4148] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                     000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\System32\igfxtray.exe[4148] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                   000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\system32\igfxsrvc.exe[4168] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                     000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\system32\igfxsrvc.exe[4168] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                     000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\system32\igfxsrvc.exe[4168] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                   000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\System32\hkcmd.exe[4196] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                        000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\System32\hkcmd.exe[4196] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                        000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\System32\hkcmd.exe[4196] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                      000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\System32\igfxpers.exe[4216] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                           000007fe6629177a 4 bytes [29, 66, FE, 07]
.text   C:\Windows\System32\igfxpers.exe[4216] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                           000007fe66291782 4 bytes [29, 66, FE, 07]
.text   C:\Windows\System32\igfxpers.exe[4216] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                     000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\System32\igfxpers.exe[4216] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                     000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\System32\igfxpers.exe[4216] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                   000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4288] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                      000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4288] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                      000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4288] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                    000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[4344] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306  000007fe6629177a 4 bytes [29, 66, FE, 07]
.text   C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[4344] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314  000007fe66291782 4 bytes [29, 66, FE, 07]
.text   C:\Windows\system32\wbem\unsecapp.exe[4400] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\system32\wbem\unsecapp.exe[4400] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\system32\wbem\unsecapp.exe[4400] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                              000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[4632] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690          000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[4632] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698          000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[4632] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246        000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[3648] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306   000007fe6629177a 4 bytes [29, 66, FE, 07]
.text   C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[3648] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314   000007fe66291782 4 bytes [29, 66, FE, 07]
.text   C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[3648] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690             000007fe5a7e1532 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[3648] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698             000007fe5a7e153a 4 bytes [7E, 5A, FE, 07]
.text   C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[3648] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246           000007fe5a7e165a 4 bytes [7E, 5A, FE, 07]
 
---- Threads - GMER 2.1 ----
 
Thread  C:\Windows\system32\csrss.exe [476:508]                                                                                       fffff960009365e8
 
---- Disk sectors - GMER 2.1 ----
 
Disk    \Device\Harddisk0\DR0                                                                                                         unknown MBR code
 
---- EOF - GMER 2.1 ----
 
*****************************************************************************
Alternate Stream View
 
:encryptable:$DATA C:\OEM\Preload\Autorun\AutorunX\HowToUse\Images\Thumbs.db C:\OEM\Preload\Autorun\AutorunX\HowToUse\Images\Thumbs.db:encryptable 0 0 db
:encryptable:$DATA C:\Windows\Web\Wallpaper\Thumbs.db C:\Windows\Web\Wallpaper\Thumbs.db:encryptable 0 0 db
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\accentuate-1.0.0.oxt C:\Users\CR\Desktop\Open Office\Extensions etc\accentuate-1.0.0.oxt:Zone.Identifier 26 4,096 oxt
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\authorsupporttool-1.1.1.oxt C:\Users\CR\Desktop\Open Office\Extensions etc\authorsupporttool-1.1.1.oxt:Zone.Identifier 26 4,096 oxt
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\business_indebtedness_schedule.ots C:\Users\CR\Desktop\Open Office\Extensions etc\business_indebtedness_schedule.ots:Zone.Identifier 26 4,096 ots
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\cropooo-0.2.1.oxt C:\Users\CR\Desktop\Open Office\Extensions etc\cropooo-0.2.1.oxt:Zone.Identifier 26 4,096 oxt
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\date_and_time_to_letters-0.0.8.oxt C:\Users\CR\Desktop\Open Office\Extensions etc\date_and_time_to_letters-0.0.8.oxt:Zone.Identifier 26 4,096 oxt
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\doclitmanager.oxt C:\Users\CR\Desktop\Open Office\Extensions etc\doclitmanager.oxt:Zone.Identifier 26 4,096 oxt
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\etok-2.1.0.oxt C:\Users\CR\Desktop\Open Office\Extensions etc\etok-2.1.0.oxt:Zone.Identifier 26 4,096 oxt
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\eurooffice_mail_archiver.oxt C:\Users\CR\Desktop\Open Office\Extensions etc\eurooffice_mail_archiver.oxt:Zone.Identifier 26 4,096 oxt
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\family-budget-planner.xls C:\Users\CR\Desktop\Open Office\Extensions etc\family-budget-planner.xls:Zone.Identifier 26 4,096 xls
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\minutes2tasks-1.2.2.oxt C:\Users\CR\Desktop\Open Office\Extensions etc\minutes2tasks-1.2.2.oxt:Zone.Identifier 26 4,096 oxt
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\pagination-1.3.10.oxt C:\Users\CR\Desktop\Open Office\Extensions etc\pagination-1.3.10.oxt:Zone.Identifier 26 4,096 oxt
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\pastefromweb.oxt C:\Users\CR\Desktop\Open Office\Extensions etc\pastefromweb.oxt:Zone.Identifier 26 4,096 oxt
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\payment_receipt_form.otg C:\Users\CR\Desktop\Open Office\Extensions etc\payment_receipt_form.otg:Zone.Identifier 26 4,096 otg
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\personal_net_worth_calculator_template.ots C:\Users\CR\Desktop\Open Office\Extensions etc\personal_net_worth_calculator_template.ots:Zone.Identifier 26 4,096 ots
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\sample_business_profile_1.ott C:\Users\CR\Desktop\Open Office\Extensions etc\sample_business_profile_1.ott:Zone.Identifier 26 4,096 ott
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\small_business_operating_budget_v1cc.ots C:\Users\CR\Desktop\Open Office\Extensions etc\small_business_operating_budget_v1cc.ots:Zone.Identifier 26 4,096 ots
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\sun-weblog-publisher.oxt C:\Users\CR\Desktop\Open Office\Extensions etc\sun-weblog-publisher.oxt:Zone.Identifier 26 4,096 oxt
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\sun_odf_template_pack2_en-us.oxt C:\Users\CR\Desktop\Open Office\Extensions etc\sun_odf_template_pack2_en-us.oxt:Zone.Identifier 26 4,096 oxt
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\team-agreement-template.ott C:\Users\CR\Desktop\Open Office\Extensions etc\team-agreement-template.ott:Zone.Identifier 26 4,096 ott
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\TeamDriveIntegration2.2.oxt C:\Users\CR\Desktop\Open Office\Extensions etc\TeamDriveIntegration2.2.oxt:Zone.Identifier 26 4,096 oxt
:Zone.Identifier:$DATA C:\Users\CR\Desktop\Open Office\Extensions etc\xrefmanager-3.0.0.oxt C:\Users\CR\Desktop\Open Office\Extensions etc\xrefmanager-3.0.0.oxt:Zone.Identifier 26 4,096 oxt
:Zone.Identifier:$DATA C:\Users\CR\Downloads\Hirens.BootCD.15.2.zip C:\Users\CR\Downloads\Hirens.BootCD.15.2.zip:Zone.Identifier 26 32 zip
************************************************************************

Edited by hamluis, 12 January 2014 - 03:04 PM.
Moved from Win 8 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users