SMSS.exe Virus Problem
Started by
Dom Fontana
, Apr 30 2011 06:26 AM
This topic is locked
#76
Posted 07 May 2011 - 05:51 AM
Dom Fontana
- Topic Starter
-
- Member
-
- 170 posts
Member
#77
Posted 07 May 2011 - 05:56 AM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
Grand - on your desktop will be a file called aswmbr.dat could you zip that and attach to your next post please as I would like to forward it to GMER and help him improve aswmbr
#78
Posted 07 May 2011 - 05:59 AM
Dom Fontana
- Topic Starter
-
- Member
-
- 170 posts
Member
Okay, no maliious items were found. Here is the log. Also, after runnung ComboFix, it is as if my computer was given an adenaline boost. It is much faster and peppier now.
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6526
Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514
5/7/2011 7:47:15 AM
mbam-log-2011-05-07 (07-47-15).txt
Scan type: Quick scan
Objects scanned: 167445
Time elapsed: 2 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6526
Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514
5/7/2011 7:47:15 AM
mbam-log-2011-05-07 (07-47-15).txt
Scan type: Quick scan
Objects scanned: 167445
Time elapsed: 2 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
#79
Posted 07 May 2011 - 06:02 AM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
Hmm lets wait a few hours before I remove my tools and tidy you up - my paranoia showing through 
#80
Posted 07 May 2011 - 06:07 AM
Dom Fontana
- Topic Starter
-
- Member
-
- 170 posts
Member
Okay, let's do that and wait a bit.
If you have a moment, could you please explain briefly exactly what was wrong?
Thanks.
If you have a moment, could you please explain briefly exactly what was wrong?
Thanks.
#81
Posted 07 May 2011 - 06:24 AM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
For sure . The original infection altered your master boot record to ensure that the malware ran every time you booted the computer. This is a very sneaky variant in that it hooked the sptd system file and then used that to mask the changes to your boot record. Any attempt to access the true MBR was blocked by a blue screen stop error
SPTD.sys is a well known file that does hook files as part of its job, so TDSSKiller saw nothing wrong with that and did not flag it as infected. When it tried to investigate the MBR it was presented with a phony clean MBR, therefore all was good as far as TDSSKiller was concerned. ASWMbr saw the problem with the SPTD file but it is not geared to cure that type of infection.
So you had a layered attack which was very sneaky, and as I say this is the first time I have come across it. Once we removed SPTD then TDSSKiller could see the true MBR and reported the infection, aswMBR did not see it - which is why I would like the aswMBR.dat file. However, any attempt to repair the MBR from within windows caused a stop error, which is why we had to repair the MBR outside of windows
As clear as mud
SPTD.sys is a well known file that does hook files as part of its job, so TDSSKiller saw nothing wrong with that and did not flag it as infected. When it tried to investigate the MBR it was presented with a phony clean MBR, therefore all was good as far as TDSSKiller was concerned. ASWMbr saw the problem with the SPTD file but it is not geared to cure that type of infection.
So you had a layered attack which was very sneaky, and as I say this is the first time I have come across it. Once we removed SPTD then TDSSKiller could see the true MBR and reported the infection, aswMBR did not see it - which is why I would like the aswMBR.dat file. However, any attempt to repair the MBR from within windows caused a stop error, which is why we had to repair the MBR outside of windows
As clear as mud
#82
Posted 07 May 2011 - 06:33 AM
Dom Fontana
- Topic Starter
-
- Member
-
- 170 posts
Member
Interesting. Very interesting. So in effect, not only did I have a nasty infection that altered the master boot record, but it also altered the sptd file so that most programs wouldn't know that the master boot record had been altered, so it never saw the infection and couldn't cure it. Is that basically what happened?
My luck, I am the first one to get it. haha.
I saved all the aswMBR.dat files. Do you want me to attach them for you?
My luck, I am the first one to get it. haha.
I saved all the aswMBR.dat files. Do you want me to attach them for you?
#83
Posted 07 May 2011 - 06:35 AM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
Yes please - I will upload them for further analysis and then link to this thread so that GMER can peruse it 
You may have been the first but I am sure not the last. However, I now know how to combat it a lot faster, so thank you for sticking with it
You may have been the first but I am sure not the last. However, I now know how to combat it a lot faster, so thank you for sticking with it
#84
Posted 07 May 2011 - 07:07 AM
Dom Fontana
- Topic Starter
-
- Member
-
- 170 posts
Member
Okay, I will attach them now. Well, that's very nice of you, but I deserve no credit for getting infected. YOU deserve all the credit for curing it. Thank you so very much.
Two thumbs up for you!
Two thumbs up for you!
Edited by Dom Fontana, 07 May 2011 - 07:07 AM.
#85
Posted 07 May 2011 - 07:08 AM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
Ta GMER is ready for the files
#86
Posted 07 May 2011 - 07:10 AM
Dom Fontana
- Topic Starter
-
- Member
-
- 170 posts
Member
Okay, here are the MBR files. I numbered them. I saved everything, so if you need any of the logs or anything else, just let me know.
Problem: It says you are not permitted to upload that type of file. I have 3 MBR.dat files. Do you want me to email them to you?
Problem: It says you are not permitted to upload that type of file. I have 3 MBR.dat files. Do you want me to email them to you?
Edited by Dom Fontana, 07 May 2011 - 07:11 AM.
#87
Posted 07 May 2011 - 07:14 AM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
Sorry I forgot to say could you zip them up. That will allow you to attach them
#88
Posted 07 May 2011 - 07:17 AM
Dom Fontana
- Topic Starter
-
- Member
-
- 170 posts
Member
Before I do that, for file type, they all say Video CD Movie and are linked to Nero. That doesn't sound right. Do you want me to change the file type?
#89
Posted 07 May 2011 - 07:19 AM
Essexboy
-
- Retired Staff
-
- 69,964 posts
GeekU Moderator
If you right click the file and select send to ... an option will be to compressed (zip) folder. Select that for the first file and then drag and drop the remainder into the folder created
#90
Posted 07 May 2011 - 07:20 AM
Dom Fontana
- Topic Starter
-
- Member
-
- 170 posts
Member
I know how to zip them, but I was asking if they are supposed to be Video CD files.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
