Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: Acer Aspire One locking up (Resolved)

  1. #11
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    There is no sign of any infection there ?

    Let's have a last couple of scans to make sure.


    ----------------------------------------------------------------------------------------
    Step 1

    Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If requested, please reboot
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    ----------------------------------------------------------------------------------------
    Step 2


    Download and Run ComboFix (by sUBs)
    Please visit this webpage for instructions for downloading and running ComboFix:

    Bleeping Computer ComboFix Tutorial

    • You must download it to and run it from your Desktop
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply
    • Re-enable all the programs that were disabled during the running of ComboFix..



    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper

    For instructions on how to disable your security programs, please see this topic
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
    ----------------------------------------------------------------------------------------
    Logs/Information to Post in Reply
    Please post the following logs/Information in your reply
    Some of the logs I request will be quite large, You may need to split them over a couple of replies.
    • MalwareBytes Log
    • Combofix Log
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  2. #12
    Member
    Join Date
    Jan 2010
    Posts
    51

    Default Don't do anything about defogger yet

    Thanks for the help.

    I will run the Malbytes and Combofix scans. Want to make sure I don't need to do anything about Defogger just yet?

  3. #13
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Quote Originally Posted by jpfof7 View Post
    Want to make sure I don't need to do anything about Defogger just yet?
    Not yet, we will run that again later.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  4. #14
    Member
    Join Date
    Jan 2010
    Posts
    51

    Default Malware Bytes Log

    Malwarebytes' Anti-Malware 1.44
    Database version: 3834
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    3/7/2010 5:43:43 PM
    mbam-log-2010-03-07 (17-43-43).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 161283
    Time elapsed: 18 minute(s), 56 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

  5. #15
    Member
    Join Date
    Jan 2010
    Posts
    51

    Default Combofix log

    ComboFix 10-03-07.02 - Pezzini 03/07/2010 18:36:44.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.545 [GMT -8:00]
    Running from: c:\documents and settings\Pezzini\Desktop\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\autorun.ini

    .
    original MBR restored successfully !
    .
    ((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
    .

    2010-03-07 23:24 . 2010-03-07 23:24 -------- d-----w- c:\documents and settings\Pezzini\Application Data\Malwarebytes
    2010-03-07 23:24 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-07 23:24 . 2010-03-07 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-03-07 23:24 . 2010-03-07 23:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-07 23:24 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-07 19:19 . 2010-03-07 19:19 -------- d-sh--w- c:\documents and settings\Pezzini\IECompatCache
    2010-03-05 05:24 . 2010-03-05 05:24 -------- d-----w- C:\rsit
    2010-03-05 05:24 . 2010-03-05 05:24 -------- d-----w- c:\program files\trend micro
    2010-02-27 18:04 . 2010-02-27 18:08 -------- d-----w- c:\windows\system32\autorun
    2010-02-26 17:15 . 2010-02-26 17:15 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-02-26 04:05 . 2010-02-26 04:05 -------- d-----w- C:\found.000

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-07 21:27 . 2009-07-15 21:08 -------- d-----w- c:\program files\Java
    2010-03-07 21:25 . 2010-03-07 21:25 152576 ----a-w- c:\documents and settings\Pezzini\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2010-03-07 21:25 . 2010-03-07 21:25 79488 ----a-w- c:\documents and settings\Pezzini\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-03-07 19:45 . 2009-08-09 16:04 -------- d-----w- c:\program files\McAfee
    2010-03-07 19:19 . 2010-03-07 19:18 20829680 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
    2010-03-07 19:18 . 2010-03-07 19:18 8405312 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
    2010-03-07 19:18 . 2010-03-07 19:18 149000 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
    2010-03-07 19:17 . 2010-03-07 19:17 10309448 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
    2010-03-07 19:16 . 2010-03-07 19:16 283280 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
    2010-03-07 19:16 . 2010-03-07 19:16 181768 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
    2010-03-07 19:16 . 2010-03-07 19:16 79368 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\RUP\vista.exe
    2010-03-07 19:16 . 2010-03-07 19:16 64000 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
    2010-03-07 19:16 . 2010-03-07 19:16 52288 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
    2010-03-07 19:16 . 2010-03-07 19:16 50688 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
    2010-03-07 19:16 . 2010-03-07 19:16 49152 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
    2010-03-07 19:16 . 2010-03-07 19:16 118784 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
    2010-03-05 04:38 . 2010-03-05 04:38 439816 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\setup3.10\setup.exe
    2010-03-05 04:38 . 2010-03-05 04:38 439816 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\temp\~Upg0\setup.exe
    2010-03-05 04:38 . 2010-03-05 04:38 118784 ----a-w- c:\documents and settings\Pezzini\Application Data\Real\Update\temp\~Upg0\install.dll
    2010-02-27 18:45 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-02-27 17:29 . 2009-03-02 22:15 7246 ----a-w- c:\documents and settings\Pezzini\Application Data\wklnhst.dat
    2010-02-26 16:38 . 2009-02-18 22:38 -------- d-----w- c:\program files\Google
    2010-02-26 05:42 . 2009-06-13 20:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-02-26 05:36 . 2009-08-21 21:01 -------- d-----w- c:\documents and settings\Pezzini\Application Data\U3
    2010-02-12 17:24 . 2010-01-01 06:51 69 ----a-w- c:\documents and settings\Pezzini\jagex_runescape_preferences2.dat
    2010-02-12 17:24 . 2009-07-15 21:14 41 ----a-w- c:\documents and settings\Pezzini\jagex_runescape_preferences.dat
    2010-01-22 15:02 . 2009-08-26 02:32 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-01-19 16:50 . 2009-03-13 16:42 60592 ----a-w- c:\documents and settings\Pezzini\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-01-18 17:55 . 2009-03-20 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2009-12-31 16:50 . 2008-04-15 03:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-21 19:14 . 2007-08-14 01:54 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-12-16 18:43 . 2008-04-15 03:00 343040 ----a-w- c:\windows\system32\mspaint.exe
    2009-12-14 07:08 . 2008-04-15 03:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2009-12-08 19:26 . 2008-04-15 03:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
    2009-12-08 18:43 . 2008-04-15 03:00 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-31 468408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"="Alaunch" [X]
    "M3000Mnt"="M3000Rmv.dll " [X]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
    "RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
    "AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
    "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-02-18 24064]
    "eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-24 198160]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/9/2009 8:08 AM 93320]
    R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 8:01 AM 151936]
    S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/18/2009 2:38 PM 24064]
    S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2/18/2009 2:43 PM 96856]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/7/2010 3:24 PM 38224]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    {1A45FF0C-DF59-4B11-B7C0576459748470}
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2009-08-09 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-09 19:22]

    2010-01-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-08-09 19:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-07 18:51
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x860AF678]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf776bf28
    \Driver\ACPI -> 0x860af678
    \Driver\atapi -> atapi.sys @ 0xf75fe852
    IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
    SecurityProcedure -> ntoskrnl.exe @ 0x805d96a1
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
    SecurityProcedure -> ntoskrnl.exe @ 0x805d96a1
    NDIS: Atheros AR5007EG Wireless Network Adapter -> SendCompleteHandler -> 0x84174330
    PacketIndicateHandler -> NDIS.sys @ 0xf74d2a21
    SendHandler -> NDIS.sys @ 0xf74c6d44
    Warning: possible MBR rootkit infection !
    copy of MBR has been found in sector 0x012A18AC1
    malicious code @ sector 0x012A18AC4 !
    PE file found in sector at 0x012A18ADA !
    MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(1764)
    c:\windows\system32\WININET.dll
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
    c:\program files\McAfee\MPF\MPFSrv.exe
    c:\windows\system32\rundll32.exe
    c:\progra~1\mcafee.com\agent\mcagent.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\igfxsrvc.exe
    c:\windows\system32\igfxext.exe
    c:\docume~1\Pezzini\LOCALS~1\Temp\RtkBtMnt.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-03-07 18:58:02 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-03-08 02:57

    Pre-Run: 137,222,217,728 bytes free
    Post-Run: 138,469,056,512 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 77A45D532558201A18F44F1B60D727C2

  6. #16
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Download GMER's MBR.exe to your desktop.
    Double click on the MBR.exe file to run it. A log will be produced, MBR.log.
    Please open this log in Notepad and post its contents in your next reply.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  7. #17
    Member
    Join Date
    Jan 2010
    Posts
    51

    Default gmer mbr log results

    tealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\ACPI -> 0x8685a320
    NDIS: Atheros AR5007EG Wireless Network Adapter -> SendCompleteHandler -> 0x849d6330
    Warning: possible MBR rootkit infection !
    copy of MBR has been found in sector 0x012A18AC1
    malicious code @ sector 0x012A18AC4 !
    PE file found in sector at 0x012A18ADA !
    MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

  8. #18
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Please move MBR.exe directly on to your C:\ drive then do the following

    click Start > Run

    Type in mbr.exe -f
    (Note the space between mbr.exe and -f)

    Then click OK.

    When you have finished the above, reboot your machine.

    Now double click on MBR.exe and post that log
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  9. #19
    Member
    Join Date
    Jan 2010
    Posts
    51

    Default Log after mbr.exe -f

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
    copy of MBR has been found in sector 0x012A18AC1
    malicious code @ sector 0x012A18AC4 !
    PE file found in sector at 0x012A18ADA !


    mbr.exe -f ran in dos window. It returned messages with one saying use the recovery module and a specific command to clean. sorry I didn't write it down.

  10. #20
    Member
    Join Date
    Jan 2010
    Posts
    51

    Default wants to run fixmbr from Windows Recovery Console

    I remember now. It said to use the "fixmbr" command available from the Windows Recovery Console.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •