Image it and run Malwarebytes and Combofix
Guido Elia HELPPC - HELPPC SERVICE ________________________________ Da: Tammy Stewart [mailto:copper...@personainternet.com] Inviato: sabato 19 novembre 2011 19.05 A: NT System Admin Issues Oggetto: RE: Mevio? Sounds a bit nasty -- I've run into a few of these lately. What OS? and is it 32 or 64 bit? Sounds like MBR infection - possibly mbr.sst.a or .b It is commonly dropped with that & similar rogue AVs. This program should tell you if the MBR is faked http://ad13.geekstogo.com/MBRCheck.exe **** If you are running SonicWall it will report that file as conficker. It is a f/p detection **** All the tool does is check MBR, make log & gives you the ability to dump copy of the MBR and re-write the MBR if found infected. If using the tool to fix MBR make sure if you have disk encryption enabled to disable that first or you may render system unbootable. If 64 bit OS check also disk management. Possibly there is a whole new partition created by the infection that is loading before the OS. If this is the case -- will need a bootable partition management tool to remove bad partition & reset the right one as active etc so it will boot. Infection set its partition to load before the others. Tdsskiller might be able to detect the infection as well. (It cannot deal with the infection that creates the rootkit partition but usually can deal with MBR infection) Process explorer -- if you double click the iexplore.exe process & look at tcp/ip tab you will see a ton of connections.... Tammy From: Len Hammond [mailto:lenhammo...@gmail.com] Sent: November-18-11 5:06 PM To: NT System Admin Issues Subject: Mevio? Got one word for the group... Mevio What is it and why would someone want it on a machine. So far I'm finding info saying it is a virus (and I tend to think that's right) and some conflicting info suggesting that it is something related to iTunes and is a music and/or video playing source and software. To the best of my knowledge, this "mevio" was not invited into this machine by the owner, I'm just trying to get it out of his way. It keeps popping up and wanting to be installed/validated. This machine also has reportedly been found after being idle overnight to be playing music out the speakers. They said it was like a radio station. Also, the process = iexplore.exe is always running without Internet Explorer being in the applications area in Task Manager or on the task bar. It does appear to have "arrived" at about the same time as a virus (trojan = AV Security 2012) that at this time seems to have been erradicated. Ultimately, I think this, being an older machine will probably get refurbished with a wipe & reinstall before going back into permanent service. But, in the meantime, I'd like to get the guy working without the interruptions. Think I'll uninstall IE9 for a while and let him use Chrome, as IE seems to be the app that is causing the trouble, or IE has been compromised and the malware is causing the trouble through IE. Ass always, thanks for the thoughts and help. Len Hammond CSI:Hartland, LLC ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin