MBR CORRUPTED - HELP

andrewoman · October 29, 2010

I think I have found the culptit of many issues that appear to be malware on my laptop. I ran a scan with MBRCheck and posted the results below. I have ran scans with Malwarebytes, Avast, SuperAntiSpyware and no program catches anything.

I have a Presario V5000, Windows XP Home and upon install of XP disk and restart, I typed in "fixmbr" in the Windows Recovery Console and was not allowed to continue. I got a CAUTION message: Problem has been detected and Windows has been shut down to prevent damage to your computer, etc.

I appreciate help that anyone can provide.

Here is the results from the MBRCheck scan:

READING ON BLACK SCREEN: "windows xp mbr code detected" - 55 GB

MBRCheck, version 1.2.3

Command-line:

Windows Version: Windows XP Home Edition

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000000c

Kernel Drivers (total 107):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806D0000 \WINDOWS\system32\hal.dll

0xF7AD2000 \WINDOWS\system32\KDCOM.DLL

0xF79E2000 \WINDOWS\system32\BOOTVID.dll

0xF74A3000 ACPI.sys

0xF7AD4000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF7492000 pci.sys

0xF75D2000 isapnp.sys

0xF79E6000 compbatt.sys

0xF79EA000 \WINDOWS\system32\DRIVERS\BATTC.SYS

0xF7B9A000 pciide.sys

0xF7852000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF75E2000 MountMgr.sys

0xF7473000 ftdisk.sys

0xF79EE000 ACPIEC.sys

0xF7B9B000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS

0xF785A000 PartMgr.sys

0xF75F2000 VolSnap.sys

0xF745B000 atapi.sys

0xF7602000 disk.sys

0xF7612000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF743B000 fltMgr.sys

0xF7429000 sr.sys

0xF7412000 KSecDD.sys

0xF7385000 Ntfs.sys

0xF7358000 NDIS.sys

0xF733E000 Mup.sys

0xF76B2000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xF7A7E000 \SystemRoot\system32\DRIVERS\wmiacpi.sys

0xBAFD8000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xF78AA000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xBAFB4000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF78B2000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xF7A82000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0xF76C2000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF78BA000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF78C2000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF76D2000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF76E2000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF76F2000 \SystemRoot\system32\DRIVERS\redbook.sys

0xBAF91000 \SystemRoot\system32\DRIVERS\ks.sys

0xF7C3C000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF7702000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xF7A8A000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xBAF7A000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF7712000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xF7722000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF78CA000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xBAF52000 \SystemRoot\system32\DRIVERS\psched.sys

0xF7732000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF78D2000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF78DA000 \SystemRoot\system32\DRIVERS\raspti.sys

0xF7742000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF7AEE000 \SystemRoot\system32\DRIVERS\swenum.sys

0xBAECC000 \SystemRoot\system32\DRIVERS\update.sys

0xF7A9E000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xF7752000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF7762000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF7AF2000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF7AF6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7CCB000 \SystemRoot\System32\Drivers\Null.SYS

0xF7AF8000 \SystemRoot\System32\Drivers\Beep.SYS

0xF78FA000 \SystemRoot\System32\drivers\vga.sys

0xBAEA7000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0xF7AFA000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF7AFC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF7902000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF790A000 \SystemRoot\System32\Drivers\Npfs.SYS

0xF7AC6000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xBAE74000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xBAE1B000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xF7772000 \SystemRoot\System32\Drivers\aswTdi.SYS

0xBADCB000 \SystemRoot\system32\DRIVERS\netbt.sys

0xBAD4A000 \SystemRoot\System32\vsdatant.sys

0xBAD24000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xF7782000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xBAD02000 \SystemRoot\System32\drivers\afd.sys

0xF7792000 \SystemRoot\system32\DRIVERS\netbios.sys

0xBAC37000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xBABC7000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF77A2000 \SystemRoot\System32\Drivers\Fips.SYS

0xBABA0000 \SystemRoot\System32\Drivers\aswSP.SYS

0xF7922000 \SystemRoot\System32\Drivers\Aavmker4.SYS

0xF7812000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xBAB60000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF7B08000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xBAF2A000 \SystemRoot\System32\drivers\Dxapi.sys

0xF7932000 \SystemRoot\System32\watchdog.sys

0xBF9C3000 \SystemRoot\System32\drivers\dxg.sys

0xF7CDC000 \SystemRoot\System32\drivers\dxgthk.sys

0xBFF50000 \SystemRoot\System32\framebuf.dll

0xF794A000 \SystemRoot\system32\DRIVERS\AegisP.sys

0xBA948000 \SystemRoot\System32\Drivers\aswFsBlk.SYS

0xBA830000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xBA629000 \SystemRoot\System32\Drivers\aswMon2.SYS

0xBA444000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xBA2DA000 \SystemRoot\system32\DRIVERS\srv.sys

0xF793A000 \SystemRoot\System32\Drivers\aswRdr.SYS

0xB9ED9000 \SystemRoot\System32\Drivers\HTTP.sys

0xB9DB1000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xB9E49000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xF792A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xB9DA9000 \SystemRoot\system32\DRIVERS\mouhid.sys

0xB9BDF000 \SystemRoot\system32\DRIVERS\RTL8187.sys

0xF7892000 \??\C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\mbr.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 28):

0 System Idle Process

4 System

368 C:\WINDOWS\system32\smss.exe

424 csrss.exe

448 C:\WINDOWS\system32\winlogon.exe

492 C:\WINDOWS\system32\services.exe

504 C:\WINDOWS\system32\lsass.exe

676 C:\WINDOWS\system32\svchost.exe

756 svchost.exe

796 C:\WINDOWS\system32\svchost.exe

852 svchost.exe

912 svchost.exe

952 C:\WINDOWS\system32\ZoneLabs\vsmon.exe

1248 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

1520 C:\WINDOWS\system32\spoolsv.exe

2036 alg.exe

1932 C:\WINDOWS\explorer.exe

576 C:\Program Files\Alwil Software\Avast5\AvastUI.exe

1564 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

1008 C:\WINDOWS\system32\ctfmon.exe

2052 C:\PROGRA~1\REALTEK\RTL818~1\RtWLan.exe

1172 C:\WINDOWS\system32\wpabaln.exe

3296 C:\WINDOWS\system32\wuauclt.exe

3208 C:\Program Files\Internet Explorer\iexplore.exe

3384 C:\Program Files\Internet Explorer\iexplore.exe

2772 C:\Program Files\Internet Explorer\iexplore.exe

4012 C:\WINDOWS\system32\svchost.exe

3852 C:\Documents and Settings\New user\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: *********** Rev: ************

Size Device Name MBR Status

--------------------------------------------

55 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

Haider · October 30, 2010

Hello andrewoman:

Sorry to hear that your system is infected, at times to completely eradicate these nastiest require special tools and expert's knowledge. Please read and follow the instructions in I'm infected - What do I do now? An Expert will assist you in removal process. Please don't use any specialized tool(s) for threat removal without supervision; you may render your system non-bootable, let the Experts deal with it

Should you have any other question(s) please post back using button

RandyC · October 30, 2010

andrewoman:

There is a driver in the list above (0xF7892000 \??\C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\mbr.sys) that is in a location that should not have a driver - a temp folder.

Haider suggested following the "how to rid myself of malware" and you should. One of the first things on it's list is running GMER. It should rid your computer of the problem I have pointed out. But, there may be more - so run through the whole script, to make sure.

Good luck!

Sign In

MBR CORRUPTED - HELP

Recommended Posts

andrewoman

Link to post

Share on other sites

Haider

Link to post

Share on other sites

RandyC

Link to post

Share on other sites

Recently Browsing 0 members

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information