Possible MBR Rootkit - logs attached #1

Please keep all your replies in this thread.


Yes you do have a Master Boot Record (MBR) infection that needs to be removed which we will get to below. You will need to boot to the Recovery Console to remove this infection.

Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

You can read the below to help you do this:

http://support.microsoft.com/kb/307654


Then boot back into normal mode.

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Your newfiles log is empty. Let's have you do this>

First:
In the meantime, let's remove some junk.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The red is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
ShowNew <-- this will try to run another scan from MGtools. Tell me what error messages, if any, you see.

If you get an error message, tell me what it is. Otherwise, attach the new MGLogs.zip.

 

I need you to try what I posted again.
Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The red is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

Now tell me what errors you get.

 

Arrgghh!!!

Click Start, Run, and enter cmd and click OK. This will open a command prompt Window. In the command prompt Window, enter the below commands each followed by the enter key:

ver > c:\ver.txt
dir C:\MGtools > C:\flist.txt

Now attach the C:\ver.txt and C:\flist.txt files here. Note there is a space after the dir and before the >.

 

Have you disabled all your AV and AS software when you ran the Shownew.bat?

 

The problem is that your newfiles log is empty. Please go to start / run / type:
services.msc
When that window opens, scroll down to the Windows Management Instrumentation (WMI) service and tell me what it is set to.