MBR Code Faked

Welcome to Major Geeks!

Let's see if we can get your PC to boot up into the System Recovery Options. Normally this comes preinstalled as part of Vista and Win 7 PCs. Sometimes, it is possible to repair an MBR from this.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
​

• Select Command Prompt
• At the command prompt, type in the below commands and hit enter. The last command will cause your PC to reboot. Allow it to boot normally.

bootrec /fixmbr
exit
​

After reboot, rerun MBRcheck as you did earlier and then attach a new log from it.

 

Why didn't you attach the log from ComboFix? Did you have a problem running it? Also what about the logs from SUPERAntiSpyware and Malwarebytes?

It looks like you may have some new kond of MBR infection unless I'm reading something wrong in your logs. Can you explain why I see two 581.11 GB size drive letters ( C and S ) but you only have one physical drive of that size in your system. I see the below?

Code:

Get Logical Disk Info From WMI                                  
==============================================================  
Description       DeviceID  FileSystem  Size          VolumeName  
Local Fixed Disk  C:        NTFS        623961436160  OS          
CD-ROM Disc       E:                                              
Removable Disk    F:                                              
Removable Disk    G:                                              
Removable Disk    H:                                              
Removable Disk    I:                                              
CD-ROM Disc       M:                                              
Local Fixed Disk  S:        NTFS        623961436160  OS          
 
Get Disk Drive Info From WMI                                    
==============================================================  
Model                             Name                Size          
WDC WD6400AAKS-75A7B0 ATA Device  [URL="file://\\.\PHYSICALDRIVE0"]\\.\PHYSICALDRIVE0[/URL]  640132416000  
TEAC USB   HS-CF Card USB Device  [URL="file://\\.\PHYSICALDRIVE1"]\\.\PHYSICALDRIVE1[/URL]                
TEAC USB   HS-MS Card USB Device  [URL="file://\\.\PHYSICALDRIVE3"]\\.\PHYSICALDRIVE3[/URL]                
TEAC USB   HS-SD Card USB Device  [URL="file://\\.\PHYSICALDRIVE4"]\\.\PHYSICALDRIVE4[/URL]                
TEAC USB   HS-xD/SM USB Device    [URL="file://\\.\PHYSICALDRIVE2"]\\.\PHYSICALDRIVE2[/URL]                
 
Get Partition Info From WMI in K-bytes                          
==============================================================  
Bootable  Name                   Size          Type                     
FALSE     Disk #0, Partition #0  65769984      Unknown                  
TRUE      Disk #0, Partition #1  623961440256  Installable File System  

Does this possiblye have anything to do with using VirtualClone?

 

Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• the TDSSkiller log
• C:\MGlogs.zip