Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help needed with malware identification and removal


  • This topic is locked This topic is locked

#16
Crunchy409

Crunchy409

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 129 posts
Malwarebytes just started spouting off a handful of "successfully blocked access to a potentially malicious website" messages
  • 0

Advertisements


#17
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets take a different look at the MBR

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image
  • 0

#18
Crunchy409

Crunchy409

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 129 posts
Here you go:


aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-17 16:38:18
-----------------------------
16:38:18.359 OS Version: Windows 5.1.2600 Service Pack 3
16:38:18.359 Number of processors: 2 586 0x170A
16:38:18.359 ComputerName: KIDD_COMPUTER UserName: Owner
16:38:19.406 Initialize success
16:40:17.203 AVAST engine defs: 11081701
16:57:09.406 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
16:57:09.406 Disk 0 Vendor: WDC_WD5000AAKS-00UU3A0 01.03B01 Size: 476938MB BusType: 3
16:57:09.406 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-17
16:57:09.406 Disk 1 Vendor: WDC_WD5000AADS-00L4B1 05.04C05 Size: 476938MB BusType: 3
16:57:09.406 Device \Driver\atapi -> DriverStartIo 8a6ba31b
16:57:11.406 Disk 1 MBR read successfully
16:57:11.406 Disk 1 MBR scan
16:57:11.500 Disk 1 MBR:Alureon-G [Rtk]
16:57:11.500 Disk 1 [email protected] code has been found
16:57:11.500 Disk 1 Windows XP default MBR code found via API
16:57:11.500 Disk 1 MBR hidden
16:57:11.500 Disk 1 MBR [TDL4] **ROOTKIT**
16:57:11.500 Disk 1 trace - called modules:
16:57:11.500 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a6ba4d0]<<
16:57:11.500 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8a702ab8]
16:57:11.515 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006b[0x8a726700]
16:57:11.515 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8a6f0940]
16:57:11.515 \Driver\atapi[0x8a6f68e0] -> IRP_MJ_CREATE -> 0x8a6ba4d0
16:57:12.453 AVAST engine scan C:\WINDOWS
16:57:23.546 AVAST engine scan C:\WINDOWS\system32
16:58:45.015 AVAST engine scan C:\WINDOWS\system32\drivers
16:58:54.156 AVAST engine scan C:\Documents and Settings\Owner
17:02:05.953 AVAST engine scan C:\Documents and Settings\All Users
17:04:12.687 Scan finished successfully
17:06:37.093 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
17:06:37.093 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"
  • 0

#19
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Re-Run aswMBR

Click Scan

On completion of the scan
Click the Fix Button

Posted Image


Save the log as before and post in your next reply
  • 0

#20
Crunchy409

Crunchy409

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 129 posts
Alright.

Booted the machine up and it seemed very unstable- rebooted on its own once. I got it stable, and began the fix. A warning from malwarebytes came up while it was "verifying disinfection" and I tried to click it away. Either when I tried to click, or prior to that it apparently had frozen up. The HDD light showed no activity.

I forced it off and started it again.
I started running the fix again, but got the message
"WARNING! Writing a new master boot record to your system partition could damage your partition table and cause your partitions to become accessible."

So I said no and figured I would get back to you.

Below is the log from this second time. This is the 2nd run, so I did NOT select fix this time due to the above warning.

aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-17 16:38:18
-----------------------------
16:38:18.359 OS Version: Windows 5.1.2600 Service Pack 3
16:38:18.359 Number of processors: 2 586 0x170A
16:38:18.359 ComputerName: KIDD_COMPUTER UserName: Owner
16:38:19.406 Initialize success
16:40:17.203 AVAST engine defs: 11081701
16:57:09.406 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
16:57:09.406 Disk 0 Vendor: WDC_WD5000AAKS-00UU3A0 01.03B01 Size: 476938MB BusType: 3
16:57:09.406 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-17
16:57:09.406 Disk 1 Vendor: WDC_WD5000AADS-00L4B1 05.04C05 Size: 476938MB BusType: 3
16:57:09.406 Device \Driver\atapi -> DriverStartIo 8a6ba31b
16:57:11.406 Disk 1 MBR read successfully
16:57:11.406 Disk 1 MBR scan
16:57:11.500 Disk 1 MBR:Alureon-G [Rtk]
16:57:11.500 Disk 1 [email protected] code has been found
16:57:11.500 Disk 1 Windows XP default MBR code found via API
16:57:11.500 Disk 1 MBR hidden
16:57:11.500 Disk 1 MBR [TDL4] **ROOTKIT**
16:57:11.500 Disk 1 trace - called modules:
16:57:11.500 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a6ba4d0]<<
16:57:11.500 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8a702ab8]
16:57:11.515 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006b[0x8a726700]
16:57:11.515 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8a6f0940]
16:57:11.515 \Driver\atapi[0x8a6f68e0] -> IRP_MJ_CREATE -> 0x8a6ba4d0
16:57:12.453 AVAST engine scan C:\WINDOWS
16:57:23.546 AVAST engine scan C:\WINDOWS\system32
16:58:45.015 AVAST engine scan C:\WINDOWS\system32\drivers
16:58:54.156 AVAST engine scan C:\Documents and Settings\Owner
17:02:05.953 AVAST engine scan C:\Documents and Settings\All Users
17:04:12.687 Scan finished successfully
17:06:37.093 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
17:06:37.093 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-08-17 18:29:18
-----------------------------
18:29:18.875 OS Version: Windows 5.1.2600 Service Pack 3
18:29:18.875 Number of processors: 2 586 0x170A
18:29:18.875 ComputerName: KIDD_COMPUTER UserName: Owner
18:29:19.734 Initialize success
18:29:24.562 AVAST engine defs: 11081701
18:29:26.000 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
18:29:26.015 Disk 0 Vendor: WDC_WD5000AAKS-00UU3A0 01.03B01 Size: 476938MB BusType: 3
18:29:26.015 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-17
18:29:26.015 Disk 1 Vendor: WDC_WD5000AADS-00L4B1 05.04C05 Size: 476938MB BusType: 3
18:29:28.046 Disk 1 MBR read successfully
18:29:28.046 Disk 1 MBR scan
18:29:28.093 Disk 1 Windows XP default MBR code
18:29:28.093 Disk 1 scanning sectors +976752000
18:29:28.156 Disk 1 scanning C:\WINDOWS\system32\drivers
18:29:36.546 Service scanning
18:29:37.609 Modules scanning
18:29:50.828 Disk 1 trace - called modules:
18:29:50.843 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
18:29:50.843 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8a68eab8]
18:29:50.843 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006b[0x8a724a00]
18:29:50.843 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8a705940]
18:29:52.328 AVAST engine scan C:\WINDOWS
18:30:03.015 AVAST engine scan C:\WINDOWS\system32
18:31:45.015 AVAST engine scan C:\WINDOWS\system32\drivers
18:32:01.859 AVAST engine scan C:\Documents and Settings\Owner
18:36:15.859 AVAST engine scan C:\Documents and Settings\All Users
18:39:20.359 Scan finished successfully
18:40:47.656 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
18:40:47.656 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"
  • 0

#21
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
The 1829 run shows a clean MBR :)

What are the current problems
  • 0

#22
Crunchy409

Crunchy409

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 129 posts
Alright!

Well, we seem to be fairly stable!

I got an error almost right away that said
"Malwarebytes' Anti-Malware [openevent] failed to perform desired action. Error Code: 2"

Also, After about 2 hours of being turned on, I have 3 log entries on Norton, but may be related to programs installed and running?

Unauthorized access blocked (open process token)- the actor is listed as googleupdate.exe
Unauthorized access blocked (access process data)- the actor is listed as MBAM.exe
Unauthorized access blocked (access process data)- the actor is listed as MBAM.exe

So.. Should I re institute the startup processes, Win.INI, and System.INI to see what happens?
What should I do with the MBAMService? Try turning it on?

Thanks for your help!
  • 0

#23
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes lets revert now to a normal start and see what appertains, also update and run MBAM please posting the resultant log
  • 0

#24
Crunchy409

Crunchy409

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 129 posts
We're looking good:


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7513

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/19/2011 11:16:31 PM
mbam-log-2011-08-19 (23-16-31).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 245798
Time elapsed: 2 hour(s), 12 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



What do we need to do to remove the programs we've added?
  • 0

#25
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Subject to no further problems :yes:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :)

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall
    (Notice the space between the "x" and "/")
    then click OK

    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version

SPRING CLEAN

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check
Posted Image

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Posted Image Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :unsure:
  • 0

Advertisements


#26
Crunchy409

Crunchy409

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 129 posts
Thank you for all your help through this!

Everything seems very stable. When I initially ran your custom fix with OTL, it froze up shutting down. I manually shut it off and turned everything back on. It seemed to be working fine and did what it needed to do (gave me a log, below).

I had some questions for you:
1. Is Norton any good? It's free with comcast but I was wondering if AVG was better?
2. What programs should be always on? Is it worth paying to have Malwarebytes always on?
3. I have been using Defraggler. Is Puran (what you had me download) better for general maintenance?
4. When the computer boots up, I get a screen that I didn't get before. It says "Please select the operating system to start" The first option is "Microsoft Windows Recovery Console- do not select this (debugger enabled)"

Is this something we need to get rid of, or should I just leave it in?

THANK YOU for your help! My in-laws are very excited to get their machine back :)
~Matt
  • 0

#27
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
1. Is Norton any good? It's free with comcast but I was wondering if AVG was better?:
In reality all Antivirus programmes have their weak spots and none are 100%. I you wish to change to another free one I would recommend Avast over AVG. This is based on my personal preference. If you wish to change I will help you through the process

2. What programs should be always on? Is it worth paying to have Malwarebytes always on?
All you really need is your Antivirus, Malwarebytes as a running programme is worthwhile and it is quite cheap for a lifetime licence

3. I have been using Defraggler. Is Puran (what you had me download) better for general maintenance?
Sort of six of one and half dozen of the other. The advantage that Puran has is the Boot time defrag and disc check

4. When the computer boots up, I get a screen that I didn't get before. It says "Please select the operating system to start" The first option is "Microsoft Windows Recovery Console- do not select this (debugger enabled)"
OK that is the recovery console, we will keep it, but hide it

Right click my computer > properties > advanced tab >startup and recovery settings
Uncheck the display list of operating systems box


Feel free to ask any further questions
  • 0

#28
Crunchy409

Crunchy409

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 129 posts
That's great! Thank you for your time and help. I think we've got everything taken care of! :)

I really appreciate it!
  • 0

#29
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP