Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

mrtstub.exe and other issues.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: mrtstub.exe and other issues.

Unread postby Sonic324 » August 20th, 2011, 5:00 pm

After doing a system restore, my computer fired up right away like it's supposed to. The infection is still there, but I have internet and comand prompt functions once again.
I do have the XP installation CD that came with my computer. I have reformatted in the past, but was not willing to this time due to the files I have on my computer. I have dozens of movies, tons of music, pictures ect, so I do not want to lose all of them. I've tried to save them, but when I try to burn to a CD, or plug in my flash drive, the program is immediatly terminated. If I could find a way to save all the stuff I want ( over 100GB ) I would have no problem reformatting.
After the last OTL fix we ran that caused the last problem, I am also unable to open OTL as well still, the icon was changed to a default one and I get the same 'you may not have permission' error message as with MWB.
Is there still hope that this can be fixed? Or am I just gonna have to man up and delete all of my stuff?
Sonic324
Active Member
 
Posts: 12
Joined: August 11th, 2011, 2:21 am
Advertisement
Register to Remove

Re: mrtstub.exe and other issues.

Unread postby diver79 » August 21st, 2011, 12:38 pm

Hi Sonic324,

Sonic324 wrote:Is there still hope that this can be fixed? Or am I just gonna have to man up and delete all of my stuff?
Yes, there is still hope :) The tools we have used so far may not have worked but we still have other methods we can use. Reformatting is an option but we will only do this as a last resort.

Lets check your PC for a rootkit/MBR infection.


MBRCheck
    Please download MBRCheck.exe and save it to your desktop.
  • Double click on MBRCheck.exe to run it.
  • A window similar to this should open on your desktop:

Image

  • If you are prompted with options, enter N at the prompt and press Enter
  • Press Enter again.
  • A log will open on your Desktop ...... MBRCheck_mm.dd.yy_hh.mm.ss.txt (where mm.dd.yy_hh.mm.ss are the date and time the scan was run)
  • Please post the contents of the log in your next reply.

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • * This can take a while. Please be patient *.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of this log in you're next reply.
  • This log can be lengthy you may have to post it in separate replies.
  • Note: You may get the following warning - it is ok - just ignore it:
    "Rootkit Unhooker has detected a parasite inside itself!
    It is recommended to remove parasite, okay?"
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: mrtstub.exe and other issues.

Unread postby Sonic324 » August 21st, 2011, 4:34 pm

Here is my MBR scanner log. The Rootkit Unhooker scaned all the way through, was in the process of putting together a report, then it was terminated and now I cannot open the program again.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 118):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E2000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F31000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xB9F12000 fltmgr.sys
0xB9F00000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9EE9000 KSecDD.sys
0xB9E5C000 Ntfs.sys
0xB9E2F000 NDIS.sys
0xB9E14000 Mup.sys
0xBA318000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xB91E9000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB91D5000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB91B0000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA3F8000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xB918D000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xBA400000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9173000 \SystemRoot\System32\DRIVERS\Rtenicxp.sys
0xBA408000 \SystemRoot\System32\DRIVERS\fdc.sys
0xBA5CA000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xBA148000 \SystemRoot\System32\DRIVERS\serial.sys
0xBA590000 \SystemRoot\System32\DRIVERS\serenum.sys
0xBA158000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA168000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xBA1D8000 \SystemRoot\System32\DRIVERS\redbook.sys
0xB9150000 \systemroot\system32\drivers\ks.sys
0xBA248000 \??\ACPI#PNP0303#2&da1a3ff&0\U\@800000cf
0xBA258000 \??\ACPI#PNP0303#2&da1a3ff&0\U\@800000cb
0xBA498000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA713000 \SystemRoot\System32\DRIVERS\audstub.sys
0xBA298000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xB9DE4000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB9139000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xBA2A8000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xBA2B8000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xBA4A0000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xB9088000 \SystemRoot\System32\DRIVERS\psched.sys
0xBA2C8000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xBA4A8000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xBA4B0000 \SystemRoot\System32\DRIVERS\raspti.sys
0xBA2D8000 \SystemRoot\System32\DRIVERS\termdd.sys
0xBA340000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xBA378000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xBA5D4000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB9054000 \SystemRoot\System32\DRIVERS\update.sys
0xB9DD8000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xBA308000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAD01A000 \SystemRoot\system32\drivers\AtiHdmi.sys
0xACFF8000 \SystemRoot\system32\drivers\portcls.sys
0xBA198000 \SystemRoot\system32\drivers\drmk.sys
0xBA1B8000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xBA5E2000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xACF22000 \SystemRoot\system32\drivers\viahduaa.sys
0xACDCE000 \SystemRoot\system32\drivers\monfilt.sys
0xBA388000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xBA5E6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA73E000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5E8000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA398000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xBA3A0000 \SystemRoot\System32\drivers\vga.sys
0xBA5EA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5EC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA3A8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA3B0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA548000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xACCD3000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xACC7B000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xACC53000 \SystemRoot\System32\DRIVERS\netbt.sys
0xACC32000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xACC10000 \SystemRoot\System32\drivers\afd.sys
0xBA208000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xBA228000 \SystemRoot\System32\DRIVERS\netbios.sys
0xACBBC000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xACB4D000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xBA268000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA3D0000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xB9129000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA588000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xB9119000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xBA58C000 \SystemRoot\System32\DRIVERS\kbdhid.sys
0xBA594000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xACB35000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5FE000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xACDA6000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA410000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA691000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF060000 \SystemRoot\System32\ati2cqag.dll
0xBF10C000 \SystemRoot\System32\atikvmag.dll
0xBF1BB000 \SystemRoot\System32\atiok3x2.dll
0xBF220000 \SystemRoot\System32\ati3duag.dll
0xBF9C4000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA9FE4000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xA9CD7000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9E44000 \SystemRoot\system32\drivers\sysaudio.sys
0xA98F3000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xA9784000 \SystemRoot\System32\DRIVERS\srv.sys
0xA9423000 \SystemRoot\System32\Drivers\HTTP.sys
0xA9309000 \SystemRoot\system32\drivers\kmixer.sys
0xA92E6000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 29):
0 System Idle Process
4 System
576 C:\WINDOWS\system32\smss.exe
624 csrss.exe
656 C:\WINDOWS\system32\winlogon.exe
700 C:\WINDOWS\system32\services.exe
712 C:\WINDOWS\system32\lsass.exe
884 C:\WINDOWS\system32\ati2evxx.exe
904 C:\WINDOWS\system32\svchost.exe
912 C:\WINDOWS\1349591449:1725861551.exe
980 svchost.exe
1080 C:\WINDOWS\system32\svchost.exe
1212 svchost.exe
1308 svchost.exe
1488 C:\WINDOWS\system32\ati2evxx.exe
1768 C:\WINDOWS\explorer.exe
1856 C:\Program Files\iTunes\iTunesHelper.exe
2000 C:\Program Files\Internet Explorer\iexplore.exe
172 svchost.exe
192 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
244 C:\Program Files\Bonjour\mDNSResponder.exe
496 C:\WINDOWS\system32\svchost.exe
1572 C:\WINDOWS\system32\wuauclt.exe
1724 C:\Program Files\iPod\bin\iPodService.exe
2208 alg.exe
2456 C:\WINDOWS\system32\wscntfy.exe
2696 wmiprvse.exe
2976 C:\WINDOWS\system32\wuauclt.exe
3040 C:\Documents and Settings\Sonic\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200AAKS-75L9A0, Rev: 01.03E01

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
Sonic324
Active Member
 
Posts: 12
Joined: August 11th, 2011, 2:21 am

Re: mrtstub.exe and other issues.

Unread postby diver79 » August 22nd, 2011, 8:34 am

Hi Sonic324,

The mbrcheck came back clear. We will use a tool called Combofix against the infection. Let me know how the PC is performing once Combofix has run. Instructions below.

Download and Run ComboFix

  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

  • Note: You must rename it before saving it... Rename it: notepad See images below.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**

    Image

    Image


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: mrtstub.exe and other issues.

Unread postby Sonic324 » August 22nd, 2011, 6:53 pm

I downloaded and renamed it. Upon opening it, it starts an initial scan/unzip with green lettering. Halfway through, mrtstub kills it and I cannot reopen it due to not having permission. Now I cannot even delete it from my desktop. Keeps telling me Access Denied, so now I'm perminantly stuck with it.
Sonic324
Active Member
 
Posts: 12
Joined: August 11th, 2011, 2:21 am

Re: mrtstub.exe and other issues.

Unread postby diver79 » August 23rd, 2011, 11:26 am

Hi Sonic324,

Lets see if we can get Combofix to work in Safe Mode.

Boot into Safe Mode

Reboot your computer in Safe Mode with Networking.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode with Networking option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.



Download and Run ComboFix
  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

  • Note: You must rename it before saving it... Rename it: mspaint See images below.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**

    Image

    Image


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: mrtstub.exe and other issues.

Unread postby Sonic324 » August 23rd, 2011, 1:16 pm

Massive critical errors and complete system failure now. Whatever it was, my hard drive is now completly shot. I appreciate your help, but we did not get it done before it was able to do it's thing. Being as I know exactly where I got it from, do you where I might be able to report the site to prevent this thing from getting to other people?
Sonic324
Active Member
 
Posts: 12
Joined: August 11th, 2011, 2:21 am

Re: mrtstub.exe and other issues.

Unread postby diver79 » August 24th, 2011, 9:17 am

Hi Sonic324,

I believe you are infected with a particularly nasty rootkit called Zeroaccess. It has many tripwires that prevent the tools we use from removing it. Because of the severity and the capabilities of this type of virus, The only responsible course of action I can advise is to is to back up your files, reformat your computer and reinstall windows.

I am sorry the news is not better, Should you have any questions please feel free to ask.

diver79.
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: mrtstub.exe and other issues.

Unread postby Sonic324 » August 24th, 2011, 11:18 am

As previously stated, I cannot back anything up. Online uploads don't work, cd drive won't work, even flash drives won't work. There ate no options, as I stated in my last post, my hard drive is already fried. There is nothing that can be done now. Any ideas about the question I asked?
Sonic324
Active Member
 
Posts: 12
Joined: August 11th, 2011, 2:21 am

Re: mrtstub.exe and other issues.

Unread postby diver79 » August 25th, 2011, 4:03 pm

Hi Sonic324,

Google offer a malware reporting service here http://www.google.co.uk/safebrowsing/report_badware/

I am not 100% sure what they will do with the information. They will at at a minimum be able to test the site, and if anything malicious is found, be able to flag the site as malicious in search results.

Hope this helps

diver79
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: mrtstub.exe and other issues.

Unread postby Cypher » August 27th, 2011, 12:29 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 132 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware