Sunday, July 28, 2013

Windows 7 Boot sector infection

I am dealing with an apparent Alureon infection on a Windows 7 Home Premium Acer Laptop. ?I received a BSOD of:

?

"Stop 0x0000007B (0XFFFFF880009A97E8, 0xFFFFFFFFC000000D, 0x0000000000000000, 0x0000000000000000)"

?

This appears to be the same problem mentioned in this thread:?

http://www.bleepingcomputer.com/forums/t/421857/windows-7-boot-sector-infection/

?

I cannot boot in normal or safe mode

I've tried performing a fixmbr without success. ?I have scanned with FRST64.exe and saved the following log file:

?

?

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-07-2013 04
Ran by SYSTEM on 28-07-2013 03:38:48
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12446824 2012-01-31] (Realtek Semiconductor)
HKLM\...\Run: [IntelPAN] - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1935120 2011-05-02] (Intel? Corporation)
HKLM\...\Run: [IntelTBRunOnce] - C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs [4526 2010-11-29] ()
HKLM\...\Run: [THXCfg64] - C:\Windows\system32\RunDLL32.exe [45568 2009-07-13] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2869008 2012-01-26] (Synaptics Incorporated)
HKLM\...\Run: [SynAsusAcpi] - C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe [100112 2012-01-26] (Synaptics Incorporated)
HKLM\...\Run: [XboxStat] - C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [825184 2009-09-30] (Microsoft Corporation)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation)
HKLM-x32\...\Run: [ASUSPRP] - C:\Program Files (x86)\ASUS\APRP\APRP.EXE [3331312 2011-09-23] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ASUS Screen Saver Protector] - C:\Windows\AsScrPro.exe [3058304 2011-11-23] (ASUS)
HKLM-x32\...\Run: [THX TruStudio NB Settings] - C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe [909312 2011-03-16] (Creative Technology Ltd)
HKLM-x32\...\Run: [CPMonitor] - C:\Program Files (x86)\Roxio\CinePlayer\5.0\CPMonitor.exe [84464 2011-04-01] ()
HKLM-x32\...\Run: [VAWinAgent] - C:\ExpressGateUtil\VAWinAgent.exe [45448 2011-04-07] ()
HKLM-x32\...\Run: [UpdateLBPShortCut] - C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer] - C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe [103720 2009-11-02] (CyberLink)
HKLM-x32\...\Run: [UpdateP2GoShortCut] - C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [ATKOSD2] - C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [318080 2011-12-22] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ATKMEDIA] - C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [174720 2011-10-24] (ASUS)
HKLM-x32\...\Run: [HControlUser] - C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [ACMON] - C:\Program Files (x86)\ASUS\Splendid\ACMON.exe [102568 2012-02-06] (ASUS)
HKLM-x32\...\Run: [Wireless Console 3] - C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [2321072 2012-02-02] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [vProt] - C:\Program Files (x86)\AVG Secure Search\vprot.exe [2236080 2013-06-26] ()
HKLM-x32\...\Run: [FLxHCIm64] - C:\Program Files\Fresco Logic\Fresco Logic USB3.0 Host Controller\amd64_host\FLxHCIm.exe [48128 2012-07-18] (Windows ? Win 7 DDK provider)
HKLM-x32\...\Run: [AVG_UI] - C:\Program Files (x86)\AVG\AVG2013\avgui.exe [4408368 2013-04-28] (AVG Technologies CZ, s.r.o.)
HKU\Default\...\Run: [Sidebar] - C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] - C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\michael\...\Run: [Steam] - C:\Program Files (x86)\Steam\Steam.exe [1641896 2013-06-06] (Valve Corporation)
HKU\michael\...\Run: [Sidebar] - C:\Program Files\Windows Sidebar\sidebar.exe [1475584 2010-11-20] (Microsoft Corporation)
HKU\michael\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-02-08] (Google Inc.)
HKU\UpdatusUser\...\Run: [Sidebar] - C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-20] (Microsoft Corporation)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
Startup: C:\Users\michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Intel? Turbo Boost Technology Monitor 2.0.lnk
ShortcutTarget: Intel? Turbo Boost Technology Monitor 2.0.lnk -> C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe (Intel? Corporation)
Startup: C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)

==================== Services (Whitelisted) =================

S2 AsusUacSvc; C:\Program Files\Asus\Rotation Desktop for G Series\AsusUacSvc.exe [113840 2010-07-27] ()
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-13] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-18] (AVG Technologies CZ, s.r.o.)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2011-05-02] ()
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
S3 npggsvc; C:\Windows\SysWow64\GameMon.des [4276136 2013-03-22] (INCA Internet Co., Ltd.)
S2 VideAceWindowsService; C:\ExpressGateUtil\VAWinService.exe [91464 2011-03-25] ()
S2 vToolbarUpdater15.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe [1598128 2013-06-26] (AVG Secure Search)

==================== Drivers (Whitelisted) ====================

S1 ATKWMIACPIIO_; C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [17536 2011-09-07] (ASUS)
S1 ATKWMIACPIIO_; C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [17536 2011-09-07] (ASUS)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-28] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-08] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-08] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-08] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-20] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-06-26] (AVG Technologies)
S3 FLxHCIh; C:\Windows\System32\DRIVERS\FLxHCIh.sys [76584 2012-07-18] (Fresco Logic)
S3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S1 MpKsl1a649cd2; C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5665DBBF-880F-4049-9C5D-977EAF765E6B}\MpKsl1a649cd2.sys [35664 2013-07-01] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S3 SmbDrv; C:\Windows\System32\DRIVERS\Smb_driver.sys [22800 2012-01-26] (Synaptics Incorporated)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-28 03:30 - 2013-07-28 03:30 - 00000000 ____D C:\FRST
2013-07-01 07:39 - 2013-07-22 22:16 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-06-30 19:21 - 2013-06-30 19:21 - 00001945 _____ C:\Windows\epplauncher.mif
2013-06-30 19:21 - 2013-06-30 19:21 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-06-30 19:21 - 2013-06-30 19:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client

==================== One Month Modified Files and Folders =======

2013-07-28 03:30 - 2013-07-28 03:30 - 00000000 ____D C:\FRST
2013-07-27 20:49 - 2012-03-28 16:45 - 00000000 ____D C:\ProgramData\P4G
2013-07-27 20:49 - 2012-02-10 09:10 - 00000000 ____D C:\users\michael
2013-07-27 20:49 - 2011-11-23 03:58 - 00000000 ___HD C:\ExpressGateUtil
2013-07-27 20:49 - 2011-11-23 03:44 - 00000000 ____D C:\ProgramData\NVIDIA
2013-07-27 20:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-07-22 22:16 - 2013-07-01 07:39 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-07-01 03:26 - 2012-02-10 09:12 - 00000000 ____D C:\Users\michael\AppData\Local\Deployment
2013-07-01 03:10 - 2011-11-23 03:36 - 01444974 _____ C:\Windows\WindowsUpdate.log
2013-07-01 02:57 - 2013-02-08 02:57 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-01 02:38 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-01 02:38 - 2009-07-13 20:45 - 00009920 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-01 02:33 - 2009-07-13 21:13 - 00809504 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-01 02:30 - 2013-02-08 02:57 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-01 02:30 - 2013-02-08 02:57 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-01 02:28 - 2012-03-28 16:48 - 00000380 _____ C:\Users\michael\AppData\Roaming\sp_data.sys
2013-07-01 02:26 - 2013-04-29 01:56 - 00006048 _____ C:\Windows\setupact.log
2013-07-01 02:26 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-06-30 19:21 - 2013-06-30 19:21 - 00001945 _____ C:\Windows\epplauncher.mif
2013-06-30 19:21 - 2013-06-30 19:21 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-06-30 19:21 - 2013-06-30 19:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-06-30 19:17 - 2011-09-23 04:51 - 00803720 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2013-06-30 17:29 - 2013-04-21 07:10 - 00000000 ____D C:\ProgramData\MFAData
2013-06-30 12:44 - 2013-06-12 04:25 - 00000000 ____D C:\Program Files (x86)\RIFT
2013-06-30 04:03 - 2012-05-26 03:03 - 00000000 ____D C:\Program Files (x86)\Steam
2013-06-29 06:52 - 2012-11-11 07:24 - 00000000 ____D C:\Program Files (x86)\Warcraft III

Files to move or delete:
====================
C:\Windows\svchost.exe
ATTENTION ====> Check for partition/boot infection.

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

TDL4: custom:26000022 <===== ATTENTION!

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-07-01 03:12:05

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 8169.16 MB
Available physical RAM: 7348.24 MB
Total Pagefile: 8167.31 MB
Available Pagefile: 7353.17 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:440.76 GB) (Free:11.14 GB) NTFS (Disk=1 Partition=2) ==>[System with boot components (obtained from reading drive)]
ATTENTION: Malware custom entry on BCD on drive c: detected.
Drive e: (SDATA2) (Fixed) (Total:232.89 GB) (Free:232.76 GB) NTFS (Disk=0 Partition=2)
Drive f: (Jul2013av) (CDROM) (Total:0.02 GB) (Free:0 GB) CDFS
Drive g: (NEW VOLUME) (Removable) (Total:3.72 GB) (Free:2.88 GB) FAT32 (Disk=2 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SDATA1) (Fixed) (Total:232.87 GB) (Free:232.75 GB) NTFS (Disk=0 Partition=1)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 466 GB) (Disk ID: BBC58B91)
Partition 1: (Not Active) - (Size=233 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=233 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: E3102A4B)
Partition 1: (Not Active) - (Size=25 GB) - (Type=1C)
Partition 2: (Active) - (Size=441 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 4 GB) (Disk ID: 49E2FD2F)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)

LastRegBack: 2013-06-16 09:13

==================== End Of Log ============================

?

?


Source: http://www.bleepingcomputer.com/forums/t/502472/windows-7-boot-sector-infection/

nicklas backstrom discovery shuttle

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)