-
ken545,
Sucess! It ran. I don't kknow what the results mean but it doesn't look good to me...
Here is the log:
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000fc
Kernel Drivers (total 144):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7992000 \WINDOWS\system32\KDCOM.DLL
0xF78A2000 \WINDOWS\system32\BOOTVID.dll
0xF7363000 ACPI.sys
0xF7994000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7352000 pci.sys
0xF7492000 isapnp.sys
0xF7A5A000 pciide.sys
0xF7712000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF74A2000 MountMgr.sys
0xF7333000 ftdisk.sys
0xF7996000 dmload.sys
0xF730D000 dmio.sys
0xF771A000 PartMgr.sys
0xF74B2000 VolSnap.sys
0xF72F5000 atapi.sys
0xF74C2000 disk.sys
0xF74D2000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF72D5000 fltmgr.sys
0xF72C3000 sr.sys
0xF72AD000 DRVMCDB.SYS
0xF74E2000 PxHelp20.sys
0xF7296000 KSecDD.sys
0xF7283000 WudfPf.sys
0xF71F6000 Ntfs.sys
0xF71C9000 NDIS.sys
0xF71AF000 Mup.sys
0xF690B000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF66C7000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF66B3000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF668B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF785A000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6667000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7862000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6633000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xF6610000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6511000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF646A000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF786A000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6444000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF7502000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF79C4000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF7512000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7522000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7B1B000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7532000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF797E000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF642D000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7542000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7552000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7872000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF641C000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7562000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF787A000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7882000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF63EC000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7572000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF788A000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7892000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79C6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF638E000 \SystemRoot\system32\DRIVERS\update.sys
0xF7172000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF61D0000 \SystemRoot\system32\DRIVERS\TM_CFW.sys
0xF7582000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF4083000 \SystemRoot\system32\drivers\sthda.sys
0xF405F000 \SystemRoot\system32\drivers\portcls.sys
0xF75C2000 \SystemRoot\system32\drivers\drmk.sys
0xF793E000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF75E2000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79D2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF6824000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79D4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B88000 \SystemRoot\System32\Drivers\Null.SYS
0xF79D6000 \SystemRoot\System32\Drivers\Beep.SYS
0xF772A000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xF774A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7752000 \SystemRoot\System32\drivers\vga.sys
0xF79D8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79DA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF775A000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7762000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6818000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF3E94000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF3E3B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF3E13000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF6810000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF3DF1000 \SystemRoot\System32\drivers\afd.sys
0xF7602000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF3DB1000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF3DA0000 \SystemRoot\system32\DRIVERS\tmtdi.sys
0xF7622000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF3D75000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF3D05000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7632000 \SystemRoot\System32\Drivers\Fips.SYS
0xF776A000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF7772000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7966000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7642000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF796A000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF7782000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF796E000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7976000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF7662000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF3CC5000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79E6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF793A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77AA000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B22000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF049000 \SystemRoot\System32\ati2cqag.dll
0xBF07D000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2F4000 \SystemRoot\System32\ativvaxx.dll
0xBF391000 \SystemRoot\System32\ATMFD.DLL
0xF1428000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xF693B000 \SystemRoot\system32\DRIVERS\tmpreflt.sys
0xF1291000 \SystemRoot\system32\DRIVERS\vsapint.sys
0xF1226000 \SystemRoot\system32\drivers\TmXPFlt.sys
0xF692B000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xF7ABC000 \SystemRoot\System32\DLA\DLADResN.SYS
0xF1210000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xF13FC000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xF7A0A000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xF77CA000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xF11F8000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xF11E2000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xF108C000 \SystemRoot\system32\DRIVERS\nwlnkipx.sys
0xF1BFD000 \SystemRoot\system32\DRIVERS\nwlnknb.sys
0xF11BE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF077B000 \SystemRoot\system32\DRIVERS\nwrdr.sys
0xF074E000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF106C000 \SystemRoot\system32\DRIVERS\nwlnkspx.sys
0xF0649000 \SystemRoot\system32\drivers\wdmaud.sys
0xF697B000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7A02000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xF7A04000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xEF919000 \SystemRoot\System32\Drivers\HTTP.sys
0xEF899000 \SystemRoot\system32\DRIVERS\srv.sys
0xEF875000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEE87C000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 41):
0 System Idle Process
4 System
924 C:\WINDOWS\system32\smss.exe
972 csrss.exe
1000 C:\WINDOWS\system32\winlogon.exe
1044 C:\WINDOWS\system32\services.exe
1056 C:\WINDOWS\system32\lsass.exe
1308 C:\WINDOWS\system32\ati2evxx.exe
1324 C:\WINDOWS\system32\svchost.exe
1432 svchost.exe
1556 C:\WINDOWS\system32\svchost.exe
1592 C:\WINDOWS\system32\svchost.exe
1728 svchost.exe
2012 svchost.exe
332 C:\WINDOWS\system32\spoolsv.exe
412 svchost.exe
780 C:\WINDOWS\explorer.exe
1480 C:\WINDOWS\ehome\ehtray.exe
1492 C:\WINDOWS\stsystra.exe
1520 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
1580 C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
1696 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
1752 C:\WINDOWS\ehome\ehrecvr.exe
192 C:\WINDOWS\system32\ctfmon.exe
240 C:\WINDOWS\ehome\ehSched.exe
644 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
960 C:\Program Files\Digital Line Detect\DLG.exe
948 C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
2232 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2256 C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
2456 svchost.exe
2520 C:\WINDOWS\system32\svchost.exe
2876 C:\WINDOWS\system32\fxssvc.exe
2988 mcrdsvc.exe
3868 C:\WINDOWS\system32\dllhost.exe
3984 C:\WINDOWS\system32\dlcccoms.exe
2060 alg.exe
3620 C:\WINDOWS\ehome\ehmsas.exe
2884 C:\WINDOWS\system32\wscntfy.exe
1428 C:\Program Files\Internet Explorer\iexplore.exe
2200 C:\Documents and Settings\Brenda Poland\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)
PhysicalDrive0 Model Number: SAMSUNGHD160JJ/P, Rev: ZM100-34
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 57BDF501CE769EF2720C705B6C71C893DA31574E
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Thanks for not giving up on this!
Jess
-
Lets try another, if I suspect what you may be infected with this may not run either, but no need for alarm just yet
Please download TDSSKiller.zip- Extract it to your desktop
- Double click TDSSKiller.exe
- Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
- Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)
-
ken545,
You were right. It did not run.
What is the next step in this suspected infection?
Thanks again,
Jess
-
Jess, still not 100% sure but you have signs that your Master Boot Record may be infected, lots of this going around lately.
What I need you to do is get me an offline dump of your MBR, be sure to use Firefox and not Internet Explorer for the downloads as IE has been really messing it up. Then we can look at it and determine if it is indeed infected, if it is it can be fixed, if its not we can look at other options
I would print this out so you can follow along real well.
- xPUD
We will need a USB stick and access to an uninfected machine.
We need to prepare the USB stick. It is not absolutely essential that it is formatted, but it may help if it is:
- Insert your USB drive ino the uninfected machine.
- Click on Start > My Computer > right click your USB drive > choose Format > Quick format.
Next
- Download both http://sourceforge.net/projects/unet...7.exe/download and http://noahdfear.net/downloads/boota...xpud-0.9.2.iso to the desktop of the uninfected machine.
- Make sure you have the formatted USB stick in the uninfected system.
- Double click on the unetbootin-xpud-windows-387.exe that you just downloaded.
- Press Run and then OK.
- Select the DiskImage option then click the browse button located on the right side of the textbox field.
- Browse to and select the xpud-0.9.2.iso file you downloaded.
- Verify the correct drive letter is selected for your USB device then click OK.
- It will install a little bootable OS on your USB device
- After it has completed do not choose to reboot the clean computer, simply close the installer.
Next
Next
- Take the USB to the infected computer and boot with it.
- The computer must be set to boot from the USB (as soon as BIOS is loaded tap F12 and choose to boot from the USB drive).
- A Welcome to xPUD screen will appear.
- Press File.
- Expand mnt.
- sda1,2...usually corresponds to your HDD.
- sdb1 is likely your USB drive.
- Click on the folder that represents your USB drive (sdb1 ?).
- Confirm that you see dumpit that you downloaded there.
- Double click on dumpit.
- Once completed, a file called mbr.zip will be saved to the USB drive.
- Take the USB drive back to the uninfected system and attach the mbr.zip in your next reply.
If you encounter any diffuculties just let me know.
-
ken545,
Does the uninfected machine need to be the some OS as the infected machine?
There is a message at the end of each post, "Just a reminder that threads will be closed if no reply in 3 days."
I will be out of town for the weekend, back Sun pm. Getting to an uninfected machine, back, then to the uninfected machine may take some time.
Just in case, please do not close the thread. I will be back!
Thank you for your persistence.
Jess
-
ken545,
I checked the link for ".... to download dumpit from the following link: http://noahdfear.net/downloads/dumpit"
There were no downloads. A page full of symbols and characters showed up.
Did the link get truncated?
Thanks,
Jess
-
Jess,
Let me check on that link for you, it may have changed. You should use a computer with the NTFS file system which is XP, Vista or Win 7.
Not to worry about this thread, I will keep it open for you
-
Are you using Firefox to download the dumpit file ?
-
ken545,
Thank you for keeping the thread open for me, much appreciated.
I was not using Firefox to download the dumpit. I was reviewing your procedures using my machine and IE, default browser, to make sure I fully understood before proceeding to use a friend's PC. Today, I switched to Firefox and the window for "save file" came up for dumpit. It is working fine. Sorry, my bad.
I see that it is imperative to have Firefox on my friend's PC before starting the the offline dump procedure. She will be dropping off her laptop today during her lunch break. It is a newer PC and should have Win 7. Definitely, will download Firefox, if it is not already there. Hopefully, I'll have something today before I leave for the weekend.
Once again, thank you ken545 for your help.
Jess
-
Hello Jess,
Yep, you will need FF to download those files and then if your friend dont like it she can uninstall it, myself, been a FF fan for many years.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules