help with mbr@whistler please?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by grateful, Mar 10, 2011.

  1. grateful

    grateful Private E-2

    Avast finds this every time I start up

    Hi, I really appreciate your help and info. I've gone through the "read me first" and done all the steps. Attached are my bootkit log and mbr log.

    I'll attach the rest of the logs next

    Thank you much
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We need the following logs:
    SAS
    MBAM
    RootRepeal -- if it runs.
    ComboFix
    C:\MGLogs.zip

    Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!


    Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123tdk.com).
    • Click the Start Scan button.
    • Do not use the computer during the scan
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_14.17.05_log.txt) will be created and saved to the root directory ( usually Local Disk C ).
    • Attach this log to your next message
     
  3. grateful

    grateful Private E-2

    Thank you, Logs are attached. a few things:

    1. combo fix froze the first time around just after finding problem with MBR. I restarted and second time it did not find the same.

    2.. during GMTools I mistakenly double clicked DisableUAC.reg

    all else went as directed

    thanks for your help

    MGlogs to follow
     

    Attached Files:

  4. grateful

    grateful Private E-2

    thanks again
     

    Attached Files:

  5. grateful

    grateful Private E-2

    and this
     
  6. grateful

    grateful Private E-2

    woof
     

    Attached Files:

  7. grateful

    grateful Private E-2

    It's been a really long day, I'm sorry for my idiocy. Here are the bootkit log and mbr logs I originally said I attached but did not. These were the first two I did, in this order
     

    Attached Files:

  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please Disable Spybot's TeaTimer --> Should have been done as per the R&R instructions!

    * Run Spybot and click Mode
    * Select Advanced Mode.
    * Then click Tools and select Resident.
    * Now in the right window pane, uncheck TeaTimer.
    * Also while this is open, in the left column now select IE Tweaks
    * and then in the right pane make sure all the Miscellaneous locks are unchecked.
    * Now quit Spybot!


    Yes you do have a Master Boot Record (MBR) infection that needs to be removed which we will get to below. You will need to boot to the Recovery Console that you have installed (perhaps when you installed ComboFix) to remove this infection.

    Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

    You can read the below to help you do this:

    http://support.microsoft.com/kb/307654


    Then boot back into normal mode.

    Then rerun MBRCheck and attach the new log.
     
  9. grateful

    grateful Private E-2

    same?
     

    Attached Files:

  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    When you boot to the Recovery Console, you will need to select 1863 GB \\.\PhysicalDrive2 as the drive to run FixMBR on.

    Once in the RC, type this:
    fixmbr \device\harddisk2

    Then re-run MBRCheck and attach the new log.
     
  11. grateful

    grateful Private E-2

    Took care of the TeaTimer issue, sorry.


    as stated the only option was "1. C\:Windows" while running recovery console

    I typed the command "fixmbr\device\harddisk2" at the prompt but it returned with
    "command not recognized"

    I ran the fix mbr anyway at the above sole choice, then ran mbrcheck again

    log is attached

    perhaps I am missing something obvious?
     

    Attached Files:

  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your first log indicated two drives of 149 GB and a third of a 1863 GB. What is this last drive? Is it an external drive?

    * Run MBRCheck.exe
    * Wait until you see the following lines:
    o Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    o Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.
    Enter your choice:

    * Please push the 'Y' key and then press Enter
    * When the program asks you to Enter your choice: enter 2 to Restore the MBR and press the Enter key
    * Now the program will ask you to "Enter the physical disk number to fix (0-99, -1 to cancel):"
    o Enter 1 and press the Enter key.
    * The program will show Available MBR codes as below

    * You need to select your version of Windows from the list. For example, enter 0 or 1 for XP or enter 3 for Vista.....etc. and then press Enter.
    * The program will prompt for confirmation. Type 'YES' and hit Enter.
    * Left click on the title bar (where program name and path is written). From menu chose Edit -> Select All
    * You will see all the text in the window get highlighted.
    * Hit the Enter key on your keyboard to copy all of the text into the clipboard.
    * Paste that text into Notepad, save it to your desktop as MBRfix.txt
    * Restart your PC.
    * Attach the MBRfix.txt file to your next message..

    Now please re-run MBRCheck.exe and attach that log also.
     
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That was not the command I gave you, it needs the spacing after the fixmbr and the \device!!
    fixmbr \device\harddisk2
     
  14. grateful

    grateful Private E-2

    yes, when I began communication here I had all external drives disconnected. the 149GB drive is the only internal drive and is the system drive. shall I continue your instructions with the drives connected or shall I disconnect them. This is where i have backed up all my data, I would hate to lose it.

    Thx
     
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You just need to have the external 1863 GB drive connected as this is the one we are trying to fix. Your last MBRCheck log showed only the one 149Gb and the 1836 GB. Run the fix I gave you using MBRCheck and then let's see where we stand.
     
  16. grateful

    grateful Private E-2

    seems I failed. you will notice that I selected drive 2. The first time around I chose drive 1 and thought I had made a mistake and repeated. same results
     

    Attached Files:

  17. grateful

    grateful Private E-2

    I will try fixmbr
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The correct physical drive number is what MBRcheck showed you which is >> PhysicalDrive1

    Thus you need to select 1

    If you run fixmbr from the Recovery Console, you cannot just run fixmbr with no options because it will select your Windows bootdrive which is not the drive you need to fix.
    I believe you will need to run fixmbr \device\harddisk1

    Note the directions of the \ and note the space after fixmbr. What you showed you had typed in this thread did not have the correct syntax. TimW explained this in message # 13, but the hard disk # may need to be 1 not 2. You can check the drive map in the recovery console first. See the commands in the below link:

    http://support.microsoft.com/kb/314058
     
    Last edited: Mar 11, 2011
  19. grateful

    grateful Private E-2

    yes, my mistake on the drive selection.

    ran fixmbr using harddisk1 and rewrote the mbr for that disk

    here is the mbrcheck log after restart

    thx much
     

    Attached Files:

  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Nice! Looks good now. ;)

    Are you having any remaining malware problems?
     
  21. grateful

    grateful Private E-2

    thanks for your help, both of you. I'll run a new Avast scan tomorrow to see. since the MBR infections were the only ones to show up from all the scans requested, I think I may be in good shape.

    Nice. is there a place to make a donation?
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    See the links in our signatures which show how you can support Major Geeks.

    Did you just recently install SpyHunter while trying to fix your problems? Did you purchase it (hope not)? We don't recommend it. Uninstalling it is our recommendation.

    Also is Spyware Doctor 7.0 a paid version or free trial? If a free trial, uninstall it.

    You also need uninstall the below old Sun Java versions and update as requested in the READ & RUN ME step 3
    J2SE Runtime Environment 5.0 Update 8
    Java(TM) 6 Update 17



    Now we need to use ComboFix to DeQuarantine some files that it should not have removed.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named C:\DeQuarantine_log.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\DeQuarantine_log.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  23. grateful

    grateful Private E-2

    Got rid of the SpyHunter and SpyDoctor. Yes, I was trying to find problems, heard they helped locate them.

    Java removed but not yet updated

    Here are requested logs.

    the machine seems to be working fine although I never really experienced any noticeable problems other than constant requests for svchost.exe, Generic host process, application layer gateway,echo 8 requests (?) and nt kernal to connect to the web. and multiple instances of svchost running, sometimes up to 10 or 12. there were slowdowns that occurred occasionally but I run power hungry stuff.

    all seems to be well
     

    Attached Files:

  24. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0

    Help Support MajorGeeks
    Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

    Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

    MajorGeeks on FaceBook
     
  25. grateful

    grateful Private E-2

    done. thank you much for your help.

    David
     
  26. grateful

    grateful Private E-2

    let me just say that the comp is running very smoothly and all progs seems to not get as "hung up" as they were before. it's like a new pc.

    thanks so much

    should any further problems be posted as a new thread or should I continue with this one if something different should happen? provided I believe it is related?
     
  27. grateful

    grateful Private E-2

    one last thing, Spybot does not keep itself present in the running menu in the toolbar. how do I set it for constant running protection?
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In order to have running protection from Spybot, you need to have its Teatimer activated which we recommended turning off in the READ & RUN ME as we have never recommended using Teatimer.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds