Laptop had Win 7 64 installed without knowing it was infected with a rootkit. MBR prevents fresh install. I thought the sluggishness was from a year of windows-bloat. Running avast! Internet Sec. 6.0. The logs are huge so I just attached them as text except for aswMBR. Any helps is GREATLY appreciated. EDIT: I ran Malwarebytes, SuperAntiSpyware, TDSKiller, avast! Internet Security 6.0 boot scan with full scans of everything (but I’m pretty sure avast is toast since it’s hooked). Anything that autofixes this KISS style isn’t recognizing it. Would a CD with a HDD wipe work?
I don’t even care about this laptop OS being preserved as backup data has been done from reinstalling, so if there is a way to format my HDD and get rid of the MBR so I can install Win 7 fresh I’m more than willing to do that to avoid any artifacts.
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-10 11:44:52
-----------------------------
11:44:52.651 OS Version: Windows x64 6.1.7600
11:44:52.651 Number of processors: 4 586 0x2502
11:44:52.652 ComputerName: XIRRI UserName:
11:44:54.535 Initialize success
11:44:58.586 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
11:44:58.589 Disk 0 Vendor: WDC_WD5000BEKT-00KA9T0 01.01A01 Size: 476940MB BusType: 11
11:45:00.652 Disk 0 MBR read successfully
11:45:00.653 Disk 0 MBR scan
11:45:00.656 Disk 0 Windows 7 default MBR code
11:45:00.659 Service scanning
11:45:02.296 Disk 0 trace - called modules:
11:45:02.358 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
11:45:02.362 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007a60060]
11:45:02.366 3 CLASSPNP.SYS[fffff880018df43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007769060]
11:45:02.369 Scan finished successfully
11:45:42.587 Disk 0 MBR has been saved successfully to "C:\Users\Divide_By_Z3r0\Documents\MBR.dat"
11:45:42.588 The log file has been saved successfully to "C:\Users\Divide_By_Z3r0\Documents\aswMBR.txt"
I’m running @killdisk right now. More than anything, I want to know how I got this but it’s impossible to know now. Due to reinstalling a day ago I didn’t want anything left behind so I chose this route. My prof gave me an extra day so it’s all good.
My desktop is another story but it’ll have to wait a week. Thanks for the input fellas.
I am referring you to our Certified Malware expert, named Essexboy for malware removal. He will review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.
Please do not make any further changes to your machine in the meantime.
Well I thought it was based off advice from thr aswMBR log I posted. Are you saying that log shows my system is healthy? That would be great because I ran BCwipe total WipeOut (with the exception off ATA erase because my BIOS blocks it). It did delete the entire drive with all other options enabled and upon reinstall of Win 7 aswMBR showed the same results.
The laptop is custom so getting a new BIOS is very difficult.
Hijackthis looked much better after bcwipe so if that asw log is normal I’m in good shape.
Thanks for the info! I was misinformed and should have waited/posted here first. It makes sense my system is probably clean since I ran literally every scan from all promiment AV forums and nothing was detected since running WipeOut.
I do find it odd reinstalling Win 7 doesn’t do a better job wiping the MBR and such. I’ll post a hijack this log after I’m done installing my drivers. It seems a lot of stuff is reported, and what concerns me most are the missing program results which I don’t understand at all.
Thank you all for your replies. I truly appreciate them!
Personally I feel that HJT brings anything to the party, it is a very old tool which hasn’t been updated in over 18 months and hasn’t kept pace with malware developments. It doesn’t even look in many of the locations that modern malware seeks to hide.
There are better specialist tools like OTS by they require interpretation by someone familiar with it, such as essexboy (but he won’t be back on the forums until tomorrow night, it is 1:15am in the UK).
Again it would revolve around your having a problem, so after installing the drivers, etc. and you have rebooted, what problems are you experiencing ?
So I ran combofix and it showed a directory that is really weird with all sorts of modules and hooks. My laptop has been running slow at the login and I feel like it’s infected somehow. Googling some of the readable text it came up with PHPJackal.
I ran BCWipe totalwipeout and reinstalled yet I have these files from March 2011 impicating all this hooking of stuff. Wtf is going on!? I get no results from other scans yet with 8gb of RAM 27% is in use. Should I hot swap and run bcwipe after BIOS load to wipe? All these svchost proceses have weird labels after them. This is my first virus/trojan in a decade and I’m at a loss. I’m on my iphone b/c I’m afraid to go online with my laptop. IDE erase is disabled by my BIOS. No option to disable.
Before running BCWipe totalwipeout and reinstalling, it would be more helpful to us, who are trying to help you if you provide us with an OTS log(s) of your machine. This gives us important information, and perhaps you may not have had to wipe and reinstall everything on your machine so we can fix the problem.
Did you run the ComboFix after reinstalling? If so, please attach the log to your next post.
I will also notify Essexboy of the latest developments. In the meantime, do not make any further changes to your machine. Thank you.
edit: The reason I am still dubious about being clean is the time it takes for Win 7 to log me in (I have very little software installed after all the formatting), the time it lags when I click on my wireless connection, and I got an email yesterday saying one of my passwords for an account attempted to be changed. The laptop isn’t amazing or anything (i3-350m, 500GB WD Scorpio 7200rpm, nVidia 335m, 8gb DDR3), but it never ran this slow and I have it set to max performance and not max appearance.
It is a product from a very small company, which was a big mistake on my part and one I won’t repeat, as I am unable to update my BIOS and many drivers without specifically modding their .inf’s. When I run GPUZ/CPUID the fields for any pertinent mfg. data are not filled in. When googling the BIOS version I get one thread from another guy who bought the same laptop and he received no replies. The seller is really weird and uncooperative in providing me a copy of the BIOS. If it turns out this machine isn’t infected that would be great, but I have a weird feeling about it because the BIOS disables ATA Erase so my BCWipe can’t use that functionality.
After you check out the combofix log and deem my system healthy I’ll be less inclined to worry, but my desktop is also infected. aswMBR came back with a positive scan, and I ran the mbr fix. That didn’t really seem that great, and I’ll be wiping all the drives on that machine, and at least I can update the BIOS with the Sabertooth x58.
MBAM confirmed a lot of malware on this laptop prior to my formatting, and it was a redirect. After years of cautious behavior I fell out of the loop as to what commonly infects computers now and it’s made me feel like an idiot because I can’t effectively interpret what I see in any of these scans.
How prevalent are infections that make their way into BIOS/firmware?
Your OTS log is dated 5/10/11. Since that time, you have run other malware removal tools, wiped your machine and did a reinstall of your machine. Asking for another OTS on 5/13/11 was appropriate prior to doing a ComboFix so that we could see what was going on in your machine, which was the reason I was asking for it…however it is too late now since you ran the ComboFix. Every time you make a change to your machine, your OTS log will change.
Rather than wait for Essexboy’s help on fixing your desktop, you are already jumping to fix your desktop. If you feel comfortable doing this, then by all means do so, but he is an expert in this area. IMO, I would wait for Essexboy to assist you. First, I would post as an attachment an OTS log for your desktop for him to review when he gets to the forum in a few hours so we can see exactly what is going on with this machine. Thank you.
Well I’ve posted on many boards as it seems a lot of ppl get infected. Finally, I used EasyBCD which lead me to a help webpage to use the Win 7 recovery console to completely erase all aspects of the MBR and Boot areas, because I noticed those remained the same even using bcwipe (dated 2/5/2011). After replacing all of that I am pretty certain that did it.
My new install has no abnormalities as the past ones did. My laptop os behaving normally and I hope that did it.