Unknown.Rootkit.VBR

[Nothing2NoOne]

Hello, My name is Trevor.

Recently I've been having a few problems with some programs not working specifically "Zune". So I thought maybe there might be something wrong with my pc. I tried running a few different things that have helped me in the past but when i ran Malwarebytes Anti Root-kit it found 2 infections. Both were labeled as Unknown.Rootkit.VBR and after i ran the clean process and restarted i ran it a second time to find it was still there. Any help with this will be greatly appreciated. 

Post to long so have to attach logs

 

 

 

 

FRST.txt

Addition.txt

[kevinf80]

Hello and

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Please download RogueKiller from here:

http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe'>http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe  <- 32 bit version

http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe'>http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe  <- 64 bit version

                                   

• Make sure to get the correct version for your system.
  
• Quit all running programs
  
• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  
• Wait until Prescan has finished...
  
• The following EULA will appear, please select accept
   
  
   
  
• Ensure MBR scan, Check faked and AntiRootkit are checked
  
• Select Scan
   
  
   
  
• When the scan completes select Report, copy and paste that to your reply.
   
  
   
  
• The log should be found in RKreport[?].txt on your Desktop
  
• Exit/Close RogueKiller
  
  
   
  Let me see that log in your next reply....
   
  Kevin

[Nothing2NoOne]

RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Whetto Kong [Admin rights]

Mode : Scan -- Date : 05/26/2014 07:12:30

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 4 ¤¤¤

[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Browser Addons : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

[Address] IAT @explorer.exe (LoadImageW) : USER32.dll -> HOOKED (C:\Program Files\Theme Resource Changer\ThemeResourceChanger.dll @ 0x800060C0)

[Address] EAT @explorer.exe (DllCanUnloadNow) : thumbcache.dll -> HOOKED (C:\Windows\system32\wpdshserviceobj.dll @ 0xFAC53D60)

[Address] EAT @explorer.exe (DllGetClassObject) : thumbcache.dll -> HOOKED (C:\Windows\system32\wpdshserviceobj.dll @ 0xFAC51A74)

[Address] EAT @explorer.exe (DllRegisterServer) : thumbcache.dll -> HOOKED (C:\Windows\system32\wpdshserviceobj.dll @ 0xFAC56070)

[Address] EAT @explorer.exe (DllUnregisterServer) : thumbcache.dll -> HOOKED (C:\Windows\system32\wpdshserviceobj.dll @ 0xFAC56278)

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

127.0.0.1       localhost

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SanDisk SDSSDP064G SATA Disk Device +++++

--- User ---

[MBR] a855787695a5acafa915ccec7b5a9095

[bSP] 68520ce647c68a1314614643fee64f19 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 61051 MB

User = LL1 ... OK!

User = LL2 ... OK!

 

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) KINGSTON  SV300S37A120G SATA Disk Device +++++

--- User ---

[MBR] 0b7bb940a522c988c9e7da99fded3bbd

[bSP] e3846e8f3a1cb7868e5d6ac3c03c2763 : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 114471 MB

User = LL1 ... OK!

User = LL2 ... OK!

 

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ IDE) ST1000DM 003-1CH162 SATA Disk Device +++++

--- User ---

[MBR] a77855670532b5bc63d11c5e0faa2d3d

[bSP] 09c571c4a1235fca5bc5066a90c87aa3 : Windows 7/8 MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 749076 MB

1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 1534111110 | Size: 204789 MB

User = LL1 ... OK!

User = LL2 ... OK!

 

+++++ PhysicalDrive3: (\\.\PHYSICALDRIVE3 @ IDE) MKNSSDCR 240GB SATA Disk Device +++++

--- User ---

[MBR] 1eabd9ce33b636f8f4422e7fefd30bed

[bSP] b3854fe18b006b445c1c8c1c2f81167b : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 228834 MB

User = LL1 ... OK!

User = LL2 ... OK!

 

+++++ PhysicalDrive4: (\\.\PHYSICALDRIVE4 @ USB) Generic- Compact Flash USB Device +++++

Error reading User MBR! ([0x15] The device is not ready. )

User = LL1 ... OK!

Error reading LL2 MBR! ([0x32] The request is not supported. )

 

+++++ PhysicalDrive5: (\\.\PHYSICALDRIVE5 @ USB) Generic- SM/xD-Picture USB Device +++++

Error reading User MBR! ([0x15] The device is not ready. )

User = LL1 ... OK!

Error reading LL2 MBR! ([0x32] The request is not supported. )

 

+++++ PhysicalDrive6: (\\.\PHYSICALDRIVE6 @ USB) Generic- SD/MMC USB Device +++++

Error reading User MBR! ([0x15] The device is not ready. )

User = LL1 ... OK!

Error reading LL2 MBR! ([0x32] The request is not supported. )

 

+++++ PhysicalDrive7: (\\.\PHYSICALDRIVE7 @ USB) Generic- MS/MS-Pro USB Device +++++

Error reading User MBR! ([0x15] The device is not ready. )

User = LL1 ... OK!

Error reading LL2 MBR! ([0x32] The request is not supported. )

 

Finished : << RKreport[0]_S_05262014_071230.txt >>

RKreport[0]_S_05262014_070807.txt

[kevinf80]

Can you run the following scan to have another look at your system, up to now no issues of note:

 

Download TDSSKiller and save it to your Desktop.

 

Make sure TDSSKiller.exe  is on the Desktop itself, not within a folder on the desktop.

 

Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

 

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt

 

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.

If Malicious objects are found, do NOT select Delete or Cure. Change the action to Skip, When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

 

Thanks,

 

Kevin....

[Nothing2NoOne]

No threats. Guess mbar mighty got me paranoid for no reason

TDSSKiller.txt

[Nothing2NoOne]

Wonder why it says "Processor architecture: Intel x64" cause i got an AMD FX-8350

[kevinf80]

 

Wonder why it says "Processor architecture: Intel x64" cause i got an AMD FX-8350

 

Is generic name, no problem for you: http://en.wikipedia.org/wiki/X86-64

 

What is your current status, any remaining issues or concerns? logs we have are not indicating any problems for you..

[Nothing2NoOne]

No my zune software is working fine now also. Thanx for your help and I apologize for taking up your time.

[kevinf80]

No need for apologies, i`m here to help anyway I can. If no problems run the following:

 

Download "Delfix by Xplode" and save it to your desktop.

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 

• 
  

    Activate UAC
    Remove disinfection tools
    Create registry backup
    Purge System Restore
    Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

 

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Let me know if we are ok to close out....

 

Kevin

[Nothing2NoOne]

Yes everything is good thank you again for your help.

[kevinf80]

Thanks for the update, it was a pleasure to work with you....

 

Take care,

 

Kevin....

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!