Jump to content

MBRCheck.exe Reports 2 MBR Code Detected, How Do I Get Rid Of This?


Recommended Posts

Hello screen317,

I did what you said. I uninstalled Online Armor++ and started ComboFix in Safe mode at 01:30am.

ComboFix locked up at 01:57am. I cut the power to my computer at 02:45 to restart it.

I got Online Armor++ reloaded at 0349am.

I don't know what else to do. I guess I'll start an attempt to save up enough money to buy an Apple Laptop.

What's your most trusted firewall, antivirus, antimalware, anti-MBR Rootkit, system to buy, Vipre Antivirus Premium ?

Sincerely, Yosemitest

Link to post
Share on other sites

  • Staff

Hi,

I'd like you to try running ComboFix once more with Online Armor uninstalled, if that's okay with you. We're going to run it differently this time o hopefully whatever is causing it to stall will be halted.

Grab a fresh copy of ComboFix and save it to your Desktop (rename it to yosemitest.com before you download it). Reboot into Safe Mode and uninstall Online Armor. Reboot back into Safe Mode.

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\yosemitest.com" /killall

Press Enter; ComboFix should run unhindered now. Let me know if it does...

Link to post
Share on other sites

Good morning screen317,

What is "WexTech AnswerWorks"?

I attempted what you asked and it didn't work.

I started yosemitest.com at 740am and it locked up at 802am.

Then I restarted my computer in normal mode and started yosemitest.com at 831am

and it locked up at 858am.

So I uninstalled:

SUPER Anti-Spyware Pro Lifetime

Spybot-Search and Destroy

SpywareBlaster

Secunia PSI Updater

Malwarebytes' Anti-Malware

CCleaner

RootRepeal,exe

S@E.exe

GMER.exe

RSIT.exe

dds.scr

ATF-Cleaner

rkill.scr

MBRCheck.exe

WexTech Answerworks

I then restarted yosemitest.com at 1035am and watch it run.

At about 915pm I went to bed. At 430am I work up and it had locked up my computer at 1028pm.

It was still showing the screen message about "it should only take 10 minutes to run, but infected systems can take longer".

At 425am I startred reloading C Drive with a ghost image of my computer from 7 days ago.

It fininished at about 545am.

I am so sick of this problem, I don't know what to do.

Sincerely, yosemitest

Link to post
Share on other sites

  • Staff
I started yosemitest.com at 740am and it locked up at 802am.

Then I restarted my computer in normal mode and started yosemitest.com at 831am

and it locked up at 858am.

So I uninstalled:

SUPER Anti-Spyware Pro Lifetime

Spybot-Search and Destroy

SpywareBlaster

Secunia PSI Updater

Malwarebytes' Anti-Malware

CCleaner

RootRepeal,exe

S@E.exe

GMER.exe

RSIT.exe

dds.scr

ATF-Cleaner

rkill.scr

MBRCheck.exe

WexTech Answerworks

But you didn't uninstall Online Armor?
Link to post
Share on other sites

Hello screen317,

I attempted what you asked and it didn't work.

Meaning, I uninstalled Online Armor++ first.

Then when it didn't work under Safe Mode, I tried it under Normal Mode, I even let it install the updated "ComboFix.exe".

Now, after I reloaded my computer from the "Ghost Image of 7, now 8 days ago", an interesting thing happened.

When I first restarted the computer, before the "Toshiba Start Screen", where you have the option of F-2 or F-12, and before the screen for the System Restore Option or normal Windows XP, there was a black screen with a flashing underline, like a "DOS" screen that was there for about 2 seconds.

When Windows XP started and I logged in, then I reloaded "Online Armor++" and I updated it, when I did the full scan, it found the

C:\Documents and Settings\All Users\Application Data\Symantec\hpc\:3898751835 Suspicious (alternate data stream)

but it didn't find the

C:\Documents and Settings\All Users\Application Data\TEMP\:5C321E34 Suspicious (alternate data stream)

It found two copies of a Worm.Win32.Mabezat!IK, loaded into a file in "System Volume Information' for a backup to "Combofix.exe", and in a file for that file's ".bak" file.

I used "RootRepeal.exe" to "Wipe" and "Force Delete" both of those files.

There were four other files that had the ADS in them, that it found, and I extracted those Alternate Data Streams.

I've been reloading updates to those programs that I Uninstalled and Reinstalled, and now I'm doing all the full scans.

I should complete those scans by tonight.

Sincerely, Yosemitest

Link to post
Share on other sites

  • Staff
I attempted what you asked and it didn't work.

Meaning, I uninstalled Online Armor++ first.

Then when it didn't work under Safe Mode, I tried it under Normal Mode, I even let it install the updated "ComboFix.exe".

All right.. fair enough.
Now, after I reloaded my computer from the "Ghost Image of 7, now 8 days ago", an interesting thing happened.

When I first restarted the computer, before the "Toshiba Start Screen", where you have the option of F-2 or F-12, and before the screen for the System Restore Option or normal Windows XP, there was a black screen with a flashing underline, like a "DOS" screen that was there for about 2 seconds.

That's not uncommon.
When Windows XP started and I logged in, then I reloaded "Online Armor++" and I updated it, when I did the full scan, it found the

C:\Documents and Settings\All Users\Application Data\Symantec\hpc\:3898751835 Suspicious (alternate data stream)

This is legitimate and is related to your Norton software. This detection is a false positive.

The old one...

C:\Documents and Settings\All Users\Application Data\TEMP\:5C321E34 Suspicious (alternate data stream)

...probably is too.

I want you to keep in mind that alternate data streams (ADS) are not malicious in themselves. Software utilizes them (as seen by Norton above), but it's likely that Online Armor is being highly suspicious because many ADS are in fact malicious. However here, that does not appear to be the case

It found two copies of a Worm.Win32.Mabezat!IK, loaded into a file in "System Volume Information' for a backup to "Combofix.exe", and in a file for that file's ".bak" file.
Another false positive. ComboFix isn't malicious; otherwise I wouldn't have instructed you to download it.
I've been reloading updates to those programs that I Uninstalled and Reinstalled, and now I'm doing all the full scans.

I should complete those scans by tonight.

Let me know what the other scans show.

In addition, are you still being redirected? If so, to where and in which browsers?

Link to post
Share on other sites

Screen317,

Let me know what the other scans show.

They showed no malicious programs detected.

ComboFix isn't malicious; otherwise I wouldn't have instructed you to download it.

The copy of ComboFix that was on the desktop was clean. It was only the copies in the System Volume Information that were corrupt, and they were backed up by ComboFix's backup as the program started and before it started the system scan, (I think).

The copy that was on my desktop and in my Norton Ghost 12.0 image was clean.

At least the "Online Armor++" Full Scan didn't detect anything on them.

In addition, are you still being redirected? If so, to where and in which browsers?

I'll keep a close watch for this, but I haven't noticed that happening since I reloaded my C Drive from the ghost image yesterday.

But I haven't been on the internet very much, except to update my security programs, and clean up my e-mail.

I'm learning more about how to use "Online Armor++" Firewall.

I'm keeping a close eye on the Firewall Log, and I'm trying to block some of the outgoing calls that just "pop up" while I'm using "Opera Web Browser".

I notice the port of the un-requested calls, either IN or OUT, and the number of the port.

Then I edit that port out, but some of them keep getting put back in and I'm not the one authorizing them to be put back in.

I don't know how to BLOCK out the call by the number called.

An example is from the History log.

C:\Program Files\My Opera Web Browser\opera.exe (?), Outgoing UDP access allowed to: 239.255.255.250:1900

From this entry I know to block the OUT 1900 port of opera.exe, but I don't know how to block the 239.255.255.250 .

There have been several other "Firewall: Automatic Decisions" that were approved, that I'd like to stop or Block, but I don't quite know how.

Sincerely, Yosemitest

Link to post
Share on other sites

  • Staff

Hi,

I'm going to be honest here: I'm not too familiar with how to configure Online Armor++; I haven't used their software in a long time. What I would recommend for you is to visit Online Armor's forum; their experts will be able to guide you in configuring their software exactly how you need it to be configured, and they will be much better able to answer any questions you have about their specific product and what it is reporting.

If it were a question of what MBAM is doing, then I would be more than willing to provide my expertise; however, in my opinion my knowledge of their software is too limited to help you effectively.

Link to post
Share on other sites

  • 3 weeks later...

To screen317,

I still have a problem.

The other day, I left my computer up and running with the internet cable disconnected.

When I came back to it several hours later, my Online Armor++ Firewall Program Access had been totally changed.

All my preogram settings had been deleted and one new program had been set up with total access to everything.

It was titled in unicode with several "y" with two dots over it.

I'd have to let it happen again to give you the exact title, and then reload my drive from a ghost image.

I don't know but I think, to get rid of it, I'm going to have to re-format all drives and then reload my computer.

That's several days of work, and I'd like to save my data, but I don't know what's infected and what isn't infected.

Should I try to copy my "E" drive to several flash drives and then format that drive and "C" drive at the same time?

Sincerely, yosemitest.

Link to post
Share on other sites

  • Staff

Hi,

From the looks of things, your data has not been compromised and you should be able to back up your documents and other data just fine. A format and reinstallation of Windows at this point sounds like a good idea. Let me know if you need any help with that.

Did you end up posting at the Online Armor forums?

Link to post
Share on other sites

  • 5 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.