stat b or konkoor

[Nick]

Where can you find info for cleaning a MBR from stat b or konkoor?
Thanks
Nick

 

[David W. Hodgins]

Where can you find info for cleaning a MBR from stat b or konkoor?

Check out http://www.invircible.com/iv_tools.php

Regards, Dave Hodgins

 

[Nick]

I cleaned my MBR with ivinit.exe and I still have something trying to
re-write my MBR when I boot, I have the MBR protected in the system
boards bios, any help on tracking down what is trying to rewrite
the MBR??
I ran a program to list everything at startup
and got this file but it's beyond me.

StartupList report, 5/11/04, 6:03:15 PM
StartupList version: 1.52
Started from : C:\WINDOWS\DESKTOP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\PLAYCENTER2\CTNMRUN.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
ICSMGR = ICSMGR.EXE
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe
SystemTray = SysTray.Exe
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
AudioHQ = C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Logitech Utility = LOGI_MWX.EXE
Pop-Up Stopper = "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

ccEvtMgr = "C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script
Blocking\SBServ.exe" -reg
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
MiniLog = C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
SchedulingAgent = mstask.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NOMAD Detector = "C:\PROGRAM
FILES\CREATIVE\SBLIVE\PLAYCENTER2\CTNMRUN.EXE"
NVIEW = rundll32.exe nview.dll,nViewLoadHook

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll ctpnpscn.drv power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 9/5/2004, 12:39:14)

[rename]
NUL=c:\program files\morpheus\fsg.exe
NUL=c:\program files\morpheus\cd_install_310.exe
NUL=c:\windows\cookies\nick@atdmt[2].txt
NUL=c:\windows\cookies\nick@mysearch[2].txt
NUL=d:\c drive\program files\morpheus\fsg.exe
NUL=d:\c drive\program files\morpheus\cd_install_310.exe
NUL=d:\windows\system\bdeinstall.exe
NUL=d:\windows\system\bderastdx6_30002.dll
NUL=d:\windows\system\bderastmmx_30001.dll
NUL=d:\windows\system\bdesac10.dll
NUL=d:\windows\system\bdeload.dll
NUL=d:\windows\system\bde3d_ref2.dll
NUL=d:\windows\system\bdedownloader.dll
NUL=d:\windows\system\bdeinsta2.dll
NUL=d:\windows\system\bdefdi.dll
NUL=d:\windows\system\bdedata2.dll
NUL=d:\windows\system\advert.dll
NUL=d:\windows\cookies\[email protected][1].txt
NUL=d:\windows\cookies\[email protected][1].txt
NUL=d:\windows\cookies\[email protected][2].txt
NUL=d:\windows\cookies\nick@clickagents[3].txt
NUL=d:\windows\cookies\nick@fastclick[3].txt
NUL=d:\windows\cookies\nick@mediaplex[4].txt
NUL=d:\windows\cookies\nick@linksynergy[3].txt
NUL=d:\windows\cookies\nick@cms[2].txt
NUL=d:\windows\cookies\nick@zedo[1].txt
NUL=d:\windows\cookies\nick@targetnet[2].txt
NUL=d:\windows\cookies\[email protected][1].txt
NUL=d:\windows\cookies\nick@advertising[2].txt
NUL=d:\windows\cookies\nick@x10[2].txt
NUL=d:\windows\cookies\nick@ajrotator[1].txt
NUL=d:\windows\cookies\nick@valueclick[3].txt
NUL=d:\windows\cookies\nick@bluestreak[2].txt
NUL=d:\windows\cookies\nick@cgi-bin[2].txt
NUL=d:\windows\cookies\nick@addynamix[2].txt
NUL=d:\windows\cookies\nick@zedo[2].txt
NUL=d:\windows\cookies\[email protected][1].txt
NUL=d:\windows\cookies\nick@advertising[1].txt
NUL=d:\windows\cookies\nick@trafficmp[2].txt
NUL=d:\windows\cookies\[email protected][3].txt
NUL=d:\windows\cookies\nick@mediaplex[2].txt
NUL=d:\windows\cookies\nick@fastclick[2].txt
NUL=d:\windows\cookies\nick@centrport[1].txt
NUL=d:\windows\cookies\nick@bluestreak[1].txt
NUL=d:\windows\cookies\nick@linksynergy[1].txt
NUL=d:\windows\cookies\[email protected][1].txt
NUL=d:\windows\cookies\[email protected][2].txt
NUL=d:\windows\cookies\nick@clickagents[1].txt
NUL=d:\windows\cookies\nick@atdmt[2].txt
NUL=d:\windows\cookies\nick@hitbox[2].txt
NUL=d:\windows\cookies\[email protected][1].txt
NUL=d:\windows\cookies\nick@realmedia[1].txt
NUL=d:\windows\cookies\nick@valueclick[2].txt
NUL=d:\windows\cookies\nick@linksynergy[2].txt
NUL=d:\windows\cookies\nick@mediaplex[1].txt
NUL=d:\windows\cookies\nick@sexlist[1].txt
NUL=d:\windows\cookies\[email protected][1].txt
NUL=d:\windows\cookies\[email protected][1].txt
NUL=d:\windows\cookies\nick@flycast[1].txt
NUL=d:\windows\cookies\nick@excite[2].txt
NUL=d:\windows\cookies\nick@bfast[1].txt
NUL=d:\windows\cookies\nick@focalink[1].txt
NUL=d:\windows\cookies\nick@doubleclick[1].txt
NUL=d:\windows\bde\bdeclean.exe
NUL=d:\bde\bdeviewer.exe
NUL=d:\bde\bdeimage.dll
NUL=d:\bde\bdeengine2.dll
NUL=d:\bde\bdeplayer2.dll
NUL=d:\bde\npbdplay2.dll
NUL=d:\bde\cache\bdeclean.exe
NUL=d:\bde\cache\bdedetect1.dll
NUL=d:\bde\cache\b3d.b3d
NUL=d:\bde\cache\b3dstats.cab
NUL=d:\bde\cache\installb3drasts.cab
NUL=d:\bde\cache\installb3dcodecs.cab
NUL=d:\bde\cache\installnsplugins.cab
NUL=d:\bde\cache\syscheckb3dplayer.cab
NUL=d:\bde\cache\installb3dplayer3100.cab
NUL=d:\bde\cache\installb3dviewer2.cab
NUL=d:\bde\b3dlogo\b3d.b3d
NUL=d:\program files\divx\divx pro codec\gain_trickler_3202.exe
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

PATH C:\WINDOWS;C:\WINDOWS\COMMAND;C:\DOS
SET CLASSPATH=C:\PROGRA~1\PHOTOD~1.0\ADOBEC~1;D:\Program
Files\PhotoDeluxe 2.0\AdobeConnectables
SET SOUND=C:\PROGRA~1\CREATIVE\CTSND
SET MIDI=SYNTH:1 MAP:E MODE:0
SET BLASTER=A220 I10 D0 H5 P300 E620 T6
SET TEMP=C:\DOS

--------------------------------------------------


Enumerating Browser Helper Objects:

My Search BHO - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL -
{014DA6C1-189F-421a-88CD-07CFE51CFF10}
(no name) - (no file) - {4C501E01-9063-11D7-81E0-0040F68C3873}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll -
{BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT
5.0\READER\ACTIVEX\ACROIEHELPER.OCX -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job
WINALIGN.JOB

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE =
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE =
http://207.188.7.150/207caf8189370c87ab01/netzip/RdxIE601.cab

[MSN File Upload Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MSNUPLD.DLL
CODEBASE = http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT45.OCX
CODEBASE = http://chat.msn.com/bin/msnchat45.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNPUPLD.DLL
CODEBASE = http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

[PhotosCtrl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YPHOTOS.DLL
CODEBASE = http://f1.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab

[EPSImageControl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EPSCONTROL.DLL
CODEBASE = http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
CODEBASE = https://ww2.lifescan.com/otdms/isetup.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE =
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
CODEBASE =
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE =
http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE =
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38056.8092013889

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\MCAFEE.COM\FREESCAN\MCFSCAN.DLL
CODEBASE =
http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4351/mcfscan.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 11,324 bytes
Report generated in 0.180 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of
platform
/history - to list version history only

 

[David W. Hodgins]

I cleaned my MBR with ivinit.exe and I still have something trying to
re-write my MBR when I boot, I have the MBR protected in the system
boards bios, any help on tracking down what is trying to rewrite
the MBR??

According to http://www.viruslibrary.com/virusinfo/KonkoorFamily.htm
konkoor.3072 (the version that infects the mbr) also infects most .exe files.

I'd start by running a virus scan, with up-to-date definitions, in safe mode.

Take a look at F-Pup.exe on Art's page http://home.epix.net/~artnpeg/, for
a utility to get f-prot, and create boot disks.

You could try an online scan first, such as at www.ravantivirus.com

Regards, Dave Hodgins