Jump to content

MBR Virus? Cannot run mbam.exe


Recommended Posts

I received this virus several months ago and got frustrated that i could not get rid of it that i just disconnected it from my network and it has largely been turned off ever since. Now I really need this computer and I am hoping someone from the group of virus slayers can help. I have been trying to run mbam.exe by renaming and so forth with no luck. Thank you in advance for any help!

I was able to run hijackthis and received the following results:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:56:28 PM, on 9/8/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\MozyHome\mozybackup.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\RioMSC.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\Iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\VIAudioi\SBADeck\ADeck.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Citrus Alarm Clock\Citrus Alarm Clock.exe

C:\Program Files\MozyHome\mozystat.exe

C:\Program Files\FogBugz\Screenshot\screenshot.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

F2 - REG:system.ini: UserInit=userinit.exe

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll

O2 - BHO: (no name) - {F4D34BDE-8B3B-4A4C-997E-60F34F071DA4} - C:\WINDOWS\system32\awtusqQI.dll (file missing)

O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Startup: FogBugz Screenshot.lnk = C:\Program Files\FogBugz\Screenshot\screenshot.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Citrus Alarm Clock.lnk = C:\Program Files\Citrus Alarm Clock\Citrus Alarm Clock.exe

O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147761844779

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147762740701

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bricsnet.webex.com/client/T26L/webex/ieatgpc.cab

O20 - AppInit_DLLs: syjgeo.dll

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 6133 bytes

Link to post
Share on other sites

Got impatient and read some other posts that appeared similar in nature. I ran combofix and it found a master boot record virus. Walked me through the rest of the wizard and I am finally able to run Malwarebytes. Is there anything else I should do? Here is the log:

ComboFix 09-09-08.02 - christian 09/08/2009 18:36.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.303 [GMT -7:00]

Running from: c:\documents and settings\christian\Desktop\capcom.exe

AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\syssvc.exe

c:\windows\system32\Drivers\bxdw.sys

c:\windows\system32\drivers\UACevspqxiv.sys

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\qivvncva.dll

c:\windows\system32\sdra64.exe

c:\windows\system32\UACawutlewt.log

c:\windows\system32\UACbbjinhpi.dll

c:\windows\system32\UACbvsppbav.dll

c:\windows\system32\UACbygyxqem.dat

c:\windows\system32\UACcumxvxfx.log

c:\windows\system32\UACgumobyhw.log

c:\windows\system32\uacinit.dll

c:\windows\system32\UACmothwmkd.dll

c:\windows\system32\UACourrvkbn.dll

c:\windows\system32\UACyrbqtpbi.dll

c:\windows\system32\xyhvbhnj.dll

c:\windows\system32\yoxbrfbo.dll

c:\windows\system32\ywtwzr.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))

.

2009-09-08 23:56 . 2009-09-08 23:56 -------- d-----w- c:\program files\Trend Micro

2009-09-08 23:19 . 2009-09-08 23:19 -------- d-----w- C:\ark

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-08 22:31 . 2008-07-21 16:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-06 21:25 . 2009-07-22 16:45 -------- d-----w- c:\documents and settings\christian\Application Data\vlc

2009-08-15 23:32 . 2006-05-27 04:22 -------- d-----w- c:\documents and settings\christian\Application Data\foobar2000

2009-07-13 20:36 . 2008-07-21 16:23 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 20:36 . 2008-07-21 16:23 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2008-07-11 06:13 . 2008-07-11 05:32 48 --sh--w- c:\windows\S5EE12569.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4A9D-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]

2008-07-14 15:26 2405680 ----a-w- c:\program files\MozyHome\mozyshell1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]

2008-07-14 15:26 2405680 ----a-w- c:\program files\MozyHome\mozyshell1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [2006-03-20 516096]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]

"PtiuPbmd"="ptipbm.dll" - c:\windows\system32\ptipbm.dll [2003-05-20 24576]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-07-17 55296]

c:\documents and settings\christian\Start Menu\Programs\Startup\

FogBugz Screenshot.lnk - c:\program files\FogBugz\Screenshot\screenshot.exe [2005-3-24 352256]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Citrus Alarm Clock.lnk - c:\program files\Citrus Alarm Clock\Citrus Alarm Clock.exe [2008-5-30 326656]

MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2008-7-22 2311472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"57001:TCP"= 57001:TCP:Azuerus

R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [7/22/2008 11:12 PM 53752]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [5/25/2007 3:56 AM 16512]

.

Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-22 18:53]

2009-09-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-22 18:53]

.

- - - - ORPHANS REMOVED - - - -

BHO-{F4D34BDE-8B3B-4A4C-997E-60F34F071DA4} - c:\windows\system32\awtusqQI.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

FF - ProfilePath - c:\documents and settings\christian\Application Data\Mozilla\Firefox\Profiles\nnkeaszv.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\documents and settings\christian\Application Data\Mozilla\Firefox\Profiles\nnkeaszv.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-08 18:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AudioDeck = c:\program files\VIAudioi\SBADeck\ADeck.exe 1???\ ?|????C:\Documents and???|???|?????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-09-09 18:51

ComboFix-quarantined-files.txt 2009-09-09 01:51

Pre-Run: 98,290,434,048 bytes free

Post-Run: 98,501,742,592 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

141 --- E O F --- 2009-03-09 10:00

Link to post
Share on other sites

Not totally sure to be honest. Mixed results. Thanks for responding

On the positive side. I was able run Malwarebytes and i went through and did its thing. (Log posted below). My browser results are not being redirected.

On the potentially negative side. Mc Afee, which did not prevent the attack in the first place, is popping up notifications that it has found Stealth!MBR Virus in multiple places such as my F, G, H and I drives ( iahve a few HDDs). Not sure why when Combo fix seemed to remove the rootkit and malwarebytes identified some as well. Are there remnants still on my machine?

I ran hijackthis after the cleaning to see if there was anything. (posted below) Please let me know if there is anything else I should do.

Burning n00b question too... Is it unsafe to have an infected machine like this one connected to the internet? I have had it unplugged for a while just in case...

Also if I had bought Malwarebytes and had it installed instead of McAfee would malwarebyets have caught this?

In the mean time. My system updated itself with some MS XP updates and I installed some security features to Firefox such as Noscript and Adblock Plus as well as updated Flash, Java and Firefox overall to newer versions.

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.40

Database version: 2762

Windows 5.1.2600 Service Pack 3

9/8/2009 9:54:46 PM

mbam-log-2009-09-08 (21-54-46).txt

Scan type: Full Scan (C:\|E:\|F:\|H:\|I:\|J:\|)

Objects scanned: 205244

Time elapsed: 1 hour(s), 28 minute(s), 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 12

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\syssvc.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbbjinhpi.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbvsppbav.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmothwmkd.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACyrbqtpbi.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACevspqxiv.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{88A4A785-9742-4046-873E-16FB567C2188}\RP646\A0059470.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{88A4A785-9742-4046-873E-16FB567C2188}\RP646\A0059471.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{88A4A785-9742-4046-873E-16FB567C2188}\RP646\A0059473.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{88A4A785-9742-4046-873E-16FB567C2188}\RP646\A0059474.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{88A4A785-9742-4046-873E-16FB567C2188}\RP646\A0059475.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{88A4A785-9742-4046-873E-16FB567C2188}\RP646\A0059509.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:03:50 AM, on 9/9/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\MozyHome\mozybackup.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\RioMSC.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\VIAudioi\SBADeck\ADeck.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Citrus Alarm Clock\Citrus Alarm Clock.exe

C:\Program Files\MozyHome\mozystat.exe

C:\Program Files\FogBugz\Screenshot\screenshot.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\cmd.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\Program Files\Mozilla Firefox\firefox.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

c:\PROGRA~1\mcafee\msc\mcupdui.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: FogBugz Screenshot.lnk = C:\Program Files\FogBugz\Screenshot\screenshot.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Citrus Alarm Clock.lnk = C:\Program Files\Citrus Alarm Clock\Citrus Alarm Clock.exe

O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147761844779

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147762740701

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bricsnet.webex.com/client/T26L/webex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{9EAC0072-308E-4A7A-B9A6-92970BA93605}: NameServer = 68.87.76.182,68.87.78.134

O23 - Service: McAfee Application Installer Cleanup (0320161252478633) (0320161252478633mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\032016~1.EXE

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 6746 bytes

Link to post
Share on other sites

It ran very quickly and here is the result:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS

kernel: MBR read successfully

user & kernel MBR OK

copy of MBR has been found in sector 62 !

PE file found in sector at 0x022EF2AC3 !

Link to post
Share on other sites

You will want to print out my instructions

Since Recovery Console is installed

Boot into Recovery Console

type the following

map

It will display all drives

You need to look for all of your other drives and the drive letters should be displayed as well as the following

C: NTFS 120254MB \Device\Harddisk0\Partition1

to fix the mbr on each drive we need this information only

Device\Harddisk0 Device\Harddisk1 and so on. They might not be in sequence, so be careful.

right all of them down

and just run this command on each drive

fixmbr device name

example would be fixmbr \device\harddisk2

If you have any questions just let me know.

Link to post
Share on other sites

Sorry for the delay. Finally got my XP cd. I had to go into my bios and make my dvd drive bootable. Now I am in the recovery console.

I used the map command, but I did not see all of my drives. I only see a 3 of them and there should be 5. I saw a message to install drivers for a scsi or raid configuration. I was not able to produce a floppy with the drivers so I ran the fixmbr command against the drives that did appear. Then shut off the computer, unplugged the drives that had the fixmbr command applied and plugged in the remaining drives. Ran the fixmbr on each. Then when I ran fixmbr on C: i got a Blue screen of death with a "Stop" message. Is that common. Is it okay?

What should I do next? Is it okay to boot back into regular old XP?

Link to post
Share on other sites

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    KasReport.png

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Link to post
Share on other sites

Sorry for the delay I have been trying to run the scan, but I have not been able to finish it for one reason or another. One time my machine installed patches and rebooted another it seemed to get stuck at 3% and now it seems to have timed out after a certain amount of time. This time it stopped at 7%... Any ideas on how I can do to make it go through to 100%? It says it has been scanning for "02:33:17", but in actuality it has been more like 4 hours. I do have several drives with a lot of data close to a terabyte. It wont let me get the report either. It did say:

Objects scanned: 74733

Threats found: 2

Infected objects found: 10

Suspicious objects found: 0

Scan duration: 02:33:17

I have turned of McAfee as you directed. I DO have Malwarebytes running. I also use NoScript add-in for Firefox, but I have turned that off for the Kapersky site. Any help you can provide would be appreciated. For whats its worth I saw the scan from the other day when it stopped at 3%... it has found 7 and most if not all seemed related to having VNC on my machine... I cannot seem to find that log tho...

Link to post
Share on other sites

Okay so i finally got this to work! Seemed to always crash in firefox so I finally tried it in IE and after 12+ hours it successfully completed. Here are the results:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Friday, September 25, 2009

Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, September 24, 2009 18:41:41

Records in database: 2914331

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - Folder:

C:\

Scan statistics:

Objects scanned: 74800

Threats found: 2

Infected objects found: 9

Suspicious objects found: 0

Scan duration: 13:16:27

File name / Threat / Threats count

C:\Documents and Settings\christian\Desktop\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4

C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\sdra64.exe.vir Infected: Trojan-Spy.Win32.Zbot.oqp 1

Selected area has been scanned.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.