Win32 MB Rootkit from XP Antispyware Virus

[strangerinchi]

Hi! Browsers still crashing, freezing and redirecting, unfortunately. =[[

[strangerinchi]

UPDATE: Okay I did download the new Java version (as mine was 6 Update 13) and followed the other directions. ^^

[SuperDave]

Let's run a few more scans to see what turns up.

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply

[strangerinchi]

Hi, Dave! Hope you and yours had a very merry xmas! =]]] Here is the log from the scan:

========================================================================


aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-26 19:54:08
-----------------------------
19:54:08.753    OS Version: Windows 5.1.2600 Service Pack 2
19:54:08.753    Number of processors: 1 586 0x4F02
19:54:08.753    ComputerName: BOPEEP  UserName:
19:54:09.470    Initialize success
19:55:14.292    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
19:55:14.292    Disk 0 Vendor: ST3160812AS 3.AHH Size: 152627MB BusType: 3
19:55:16.334    Disk 0 MBR read successfully
19:55:16.334    Disk 0 MBR scan
19:55:16.334    Disk 0 unknown MBR code
19:55:16.334    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS       143846 MB offset 63
19:55:16.349    Disk 0 Partition 2 00     0C    FAT32 LBA RECOVERY     8770 MB offset 294613200
19:55:16.349    Disk 0 scanning sectors +312575760
19:55:16.381    Disk 0 malicious Win32:MBRoot code @ sector 312575763 !
19:55:16.381    Disk 0 PE file @ sector 312575785 !
19:55:16.396    Disk 0 scanning C:\WINDOWS\system32\drivers
19:55:21.882    Service scanning
19:55:22.288    Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
19:55:23.223    Modules scanning
19:55:59.507    Disk 0 trace - called modules:
19:55:59.523    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8a996259]<<
19:55:59.523    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a8f7030]
19:55:59.523    3 CLASSPNP.SYS[ba10905b] -> nt!IofCallDriver -> \Device\0000006c[0x8aa152c8]
19:55:59.523    5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-5[0x8aa97940]
19:55:59.523    Scan finished successfully
19:56:19.613    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Compaq_Administrator\Desktop\MBR.dat"
19:56:19.613    The log file has been saved successfully to "C:\Documents and Settings\Compaq_Administrator\Desktop\aswMBR.txt"

[SuperDave]

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

•Double-click on MBRCheck.exe to run it.

•It will open a black window...please do not fix anything (if it gives you an option).

•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.

•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
•Please copy and paste the contents of that log in your next reply.

[strangerinchi]

Hi! Here is the MBRCheck scan log. =]]

======================================================================
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:         
Windows Version:      Windows XP Professional
Windows Information:      Service Pack 2 (build 2600)
Logical Drives Mask:      0x0000001c

Kernel Drivers (total 126):
  0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
  0x806CE000 \WINDOWS\system32\hal.dll
  0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
  0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
  0xB9F79000 ACPI.sys
  0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
  0xB9F68000 pci.sys
  0xBA0A8000 isapnp.sys
  0xBA0B8000 ohci1394.sys
  0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
  0xBA670000 pciide.sys
  0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
  0xBA5AC000 viaide.sys
  0xBA5AE000 intelide.sys
  0xBA0D8000 MountMgr.sys
  0xB9F49000 ftdisk.sys
  0xBA5B0000 dmload.sys
  0xB9F23000 dmio.sys
  0xBA330000 PartMgr.sys
  0xBA338000 pavboot.sys
  0xBA0E8000 VolSnap.sys
  0xB9F0B000 atapi.sys
  0xBA0F8000 disk.sys
  0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
  0xB9EEB000 fltMgr.sys
  0xB9ED9000 sr.sys
  0xBA118000 PxHelp20.sys
  0xB9EC2000 KSecDD.sys
  0xB9E35000 Ntfs.sys
  0xB9E08000 NDIS.sys
  0xB9DED000 Mup.sys
  0xBA198000 \SystemRoot\system32\DRIVERS\AmdK8.sys
  0xBA468000 \SystemRoot\system32\DRIVERS\aracpi.sys
  0xB9059000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
  0xB9045000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
  0xBA470000 \SystemRoot\system32\DRIVERS\usbohci.sys
  0xB9022000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0xBA478000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0xBA1A8000 \SystemRoot\system32\DRIVERS\imapi.sys
  0xBA650000 \??\C:\WINDOWS\system32\drivers\UBHelper.sys
  0xBA1B8000 \SystemRoot\system32\DRIVERS\cdrom.sys
  0xBA1C8000 \SystemRoot\system32\DRIVERS\redbook.sys
  0xB8FFF000 \SystemRoot\system32\DRIVERS\ks.sys
  0xBA652000 \??\C:\WINDOWS\system32\drivers\NTIDrvr.sys
  0xBA480000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
  0xB8FBA000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
  0xB8EC3000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
  0xB8E0D000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
  0xBA488000 \SystemRoot\System32\Drivers\Modem.SYS
  0xB8DE8000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
  0xBA574000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
  0xB8D9D000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
  0xB8D66000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
  0xBA1D8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
  0xBA490000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0xBA656000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
  0xBA498000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0xBA658000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
  0xBA578000 \SystemRoot\system32\DRIVERS\arpolicy.sys
  0xBA65C000 \SystemRoot\system32\DRIVERS\serscan.sys
  0xBA6B3000 \SystemRoot\system32\DRIVERS\audstub.sys
  0xBA1E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
  0xBA57C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
  0xB8D4F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
  0xBA1F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
  0xBA208000 \SystemRoot\system32\DRIVERS\raspptp.sys
  0xBA4A0000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0xB8D3E000 \SystemRoot\system32\DRIVERS\psched.sys
  0xBA218000 \SystemRoot\system32\DRIVERS\msgpc.sys
  0xBA4A8000 \SystemRoot\system32\DRIVERS\ptilink.sys
  0xBA4B0000 \SystemRoot\system32\DRIVERS\raspti.sys
  0xB8D0D000 \SystemRoot\system32\DRIVERS\rdpdr.sys
  0xBA228000 \SystemRoot\system32\DRIVERS\termdd.sys
  0xBA660000 \SystemRoot\system32\DRIVERS\swenum.sys
  0xB8CB1000 \SystemRoot\system32\DRIVERS\update.sys
  0xBA5A4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0xBA238000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0xBA308000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0xBA5CC000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0xB9827000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
  0xB4375000 \SystemRoot\system32\drivers\RtkHDAud.sys
  0xB4353000 \SystemRoot\system32\drivers\portcls.sys
  0xB9561000 \SystemRoot\system32\drivers\drmk.sys
  0xBA5F2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
  0xBA757000 \SystemRoot\System32\Drivers\Null.SYS
  0xBA5F4000 \SystemRoot\System32\Drivers\Beep.SYS
  0xB5EC3000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
  0xB5EBB000 \SystemRoot\System32\drivers\vga.sys
  0xBA5F6000 \SystemRoot\System32\Drivers\mnmdd.SYS
  0xBA5F8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0xB5EAB000 \SystemRoot\System32\Drivers\Msfs.SYS
  0xB5E9B000 \SystemRoot\System32\Drivers\Npfs.SYS
  0xB8C6D000 \SystemRoot\system32\DRIVERS\rasacd.sys
  0xB407A000 \SystemRoot\system32\DRIVERS\ipsec.sys
  0xB4022000 \SystemRoot\system32\DRIVERS\tcpip.sys
  0xB3FFA000 \SystemRoot\system32\DRIVERS\netbt.sys
  0xB3FD8000 \SystemRoot\System32\drivers\afd.sys
  0xBA158000 \SystemRoot\system32\DRIVERS\netbios.sys
  0xB3FB6000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
  0xB5E93000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
  0xB3F8B000 \SystemRoot\system32\DRIVERS\rdbss.sys
  0xBA178000 \SystemRoot\System32\Drivers\Fips.SYS
  0xB3F52000 \SystemRoot\system32\DRIVERS\ipnat.sys
  0xBA188000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0xA976A000 \SystemRoot\System32\Drivers\Fastfat.SYS
  0xA9752000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0xB2ABA000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
  0xBF800000 \SystemRoot\System32\win32k.sys
  0xA97B7000 \SystemRoot\System32\drivers\Dxapi.sys
  0xA9B39000 \SystemRoot\System32\watchdog.sys
  0xBF000000 \SystemRoot\System32\drivers\dxg.sys
  0xBA73B000 \SystemRoot\System32\drivers\dxgthk.sys
  0xBF012000 \SystemRoot\System32\nv4_disp.dll
  0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
  0xBA554000 \SystemRoot\system32\DRIVERS\ndisuio.sys
  0xA883D000 \SystemRoot\system32\drivers\wdmaud.sys
  0xBA268000 \SystemRoot\system32\drivers\sysaudio.sys
  0xA879B000 \SystemRoot\system32\DRIVERS\mrxdav.sys
  0xA859E000 \SystemRoot\System32\Drivers\HTTP.sys
  0xA851F000 \SystemRoot\system32\DRIVERS\srv.sys
  0xA8623000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
  0xA84CF000 \SystemRoot\System32\Drivers\Cdfs.SYS
  0xBA410000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
  0xA82E7000 \??\C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\aswMBR.sys
  0x95997000 \SystemRoot\system32\drivers\kmixer.sys
  0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 48):
       0 System Idle Process
       4 System
     656 C:\WINDOWS\system32\smss.exe
     704 csrss.exe
     728 C:\WINDOWS\system32\winlogon.exe
     772 C:\WINDOWS\system32\services.exe
     784 C:\WINDOWS\system32\lsass.exe
     940 C:\WINDOWS\system32\svchost.exe
     984 svchost.exe
    1076 C:\WINDOWS\system32\svchost.exe
    1124 svchost.exe
    1168 svchost.exe
    1724 C:\WINDOWS\explorer.exe
    1756 svchost.exe
    1876 C:\WINDOWS\RTHDCPL.EXE
    1916 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1948 C:\Program Files\Orbitdownloader\orbitdm.exe
    1984 C:\Program Files\Orbitdownloader\orbitnet.exe
     344 C:\Program Files\SUPERAntiSpyware\SASCore.exe
     356 C:\WINDOWS\system32\svchost.exe
     368 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
     484 C:\WINDOWS\arservice.exe
     516 C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
     556 C:\Program Files\Bonjour\mDNSResponder.exe
     592 C:\WINDOWS\ehome\ehrecvr.exe
     904 C:\WINDOWS\ehome\ehSched.exe
    1072 C:\Program Files\Java\jre6\bin\jqs.exe
    1192 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    1240 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    1276 C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
    1596 C:\WINDOWS\system32\nvsvc32.exe
    1688 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    1232 svchost.exe
    1900 C:\WINDOWS\system32\svchost.exe
    2008 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    2076 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    2228 mcrdsvc.exe
    2584 C:\WINDOWS\system32\dllhost.exe
    2932 C:\WINDOWS\system32\wscntfy.exe
    3580 alg.exe
     552 C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
    2408 C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe
    3176 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    1488 C:\Program Files\Windows Live\Contacts\wlcomm.exe
    5284 C:\Program Files\iPod\bin\iPodService.exe
    3504 C:\Program Files\AIM\aim.exe
    1368 C:\WINDOWS\system32\wuauclt.exe
    3108 C:\Documents and Settings\Compaq_Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00  (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000023`1ee1a000  (FAT32)

PhysicalDrive0 Model Number: ST3160812AS, Rev: 3.AHH   

      Size  Device Name          MBR Status
  --------------------------------------------
    149 GB  \\.\PhysicalDrive0   Unknown MBR code
            SHA1: 4A3BF69CA3259413E25A52D6E01242850E3B0E3 A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

[SuperDave]

Please run AVP again as per instructions in Reply #21.