Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

SMSS.exe Virus Problem


  • This topic is locked This topic is locked

#76
Dom Fontana

Dom Fontana

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 170 posts
Okay, I already have that program, so I will scan it now. If there is an update I will download it.
  • 0

Advertisements


#77
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Grand - on your desktop will be a file called aswmbr.dat could you zip that and attach to your next post please as I would like to forward it to GMER and help him improve aswmbr
  • 0

#78
Dom Fontana

Dom Fontana

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 170 posts
Okay, no maliious items were found. Here is the log. Also, after runnung ComboFix, it is as if my computer was given an adenaline boost. It is much faster and peppier now.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6526

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

5/7/2011 7:47:15 AM
mbam-log-2011-05-07 (07-47-15).txt

Scan type: Quick scan
Objects scanned: 167445
Time elapsed: 2 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#79
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hmm lets wait a few hours before I remove my tools and tidy you up - my paranoia showing through :)
  • 0

#80
Dom Fontana

Dom Fontana

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 170 posts
Okay, let's do that and wait a bit.

If you have a moment, could you please explain briefly exactly what was wrong?

Thanks.
  • 0

#81
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
For sure . The original infection altered your master boot record to ensure that the malware ran every time you booted the computer. This is a very sneaky variant in that it hooked the sptd system file and then used that to mask the changes to your boot record. Any attempt to access the true MBR was blocked by a blue screen stop error

SPTD.sys is a well known file that does hook files as part of its job, so TDSSKiller saw nothing wrong with that and did not flag it as infected. When it tried to investigate the MBR it was presented with a phony clean MBR, therefore all was good as far as TDSSKiller was concerned. ASWMbr saw the problem with the SPTD file but it is not geared to cure that type of infection.

So you had a layered attack which was very sneaky, and as I say this is the first time I have come across it. Once we removed SPTD then TDSSKiller could see the true MBR and reported the infection, aswMBR did not see it - which is why I would like the aswMBR.dat file. However, any attempt to repair the MBR from within windows caused a stop error, which is why we had to repair the MBR outside of windows

As clear as mud :)
  • 1

#82
Dom Fontana

Dom Fontana

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 170 posts
Interesting. Very interesting. So in effect, not only did I have a nasty infection that altered the master boot record, but it also altered the sptd file so that most programs wouldn't know that the master boot record had been altered, so it never saw the infection and couldn't cure it. Is that basically what happened?

My luck, I am the first one to get it. haha.

I saved all the aswMBR.dat files. Do you want me to attach them for you?
  • 0

#83
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes please - I will upload them for further analysis and then link to this thread so that GMER can peruse it :)

You may have been the first but I am sure not the last. However, I now know how to combat it a lot faster, so thank you for sticking with it :unsure:
  • 0

#84
Dom Fontana

Dom Fontana

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 170 posts
Okay, I will attach them now. Well, that's very nice of you, but I deserve no credit for getting infected. YOU deserve all the credit for curing it. Thank you so very much.

Two thumbs up for you! :unsure: :)

Edited by Dom Fontana, 07 May 2011 - 07:07 AM.

  • 0

#85
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Ta GMER is ready for the files :)
  • 0

Advertisements


#86
Dom Fontana

Dom Fontana

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 170 posts
Okay, here are the MBR files. I numbered them. I saved everything, so if you need any of the logs or anything else, just let me know.

Problem: It says you are not permitted to upload that type of file. I have 3 MBR.dat files. Do you want me to email them to you?

Edited by Dom Fontana, 07 May 2011 - 07:11 AM.

  • 0

#87
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Sorry I forgot to say could you zip them up. That will allow you to attach them
  • 0

#88
Dom Fontana

Dom Fontana

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 170 posts
Before I do that, for file type, they all say Video CD Movie and are linked to Nero. That doesn't sound right. Do you want me to change the file type?
  • 0

#89
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
If you right click the file and select send to ... an option will be to compressed (zip) folder. Select that for the first file and then drag and drop the remainder into the folder created
  • 0

#90
Dom Fontana

Dom Fontana

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 170 posts
I know how to zip them, but I was asking if they are supposed to be Video CD files.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP