iexplore.exe / ieuser.exe - MBR issue?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by evantpdx, Jan 2, 2011.

  1. evantpdx

    evantpdx Private E-2

    I appear to have the same issue as several others have posted about. I have followed the READ & RUN up to running RootRepeal, which failed to run. When viewing the processes in the task manager, it opens for ~3 seconds, and then closes on its own. No messages of any kind are seen.

    I attempted to run the bootkit remover from esage, it tells me that I have an issue, but I get an error message when I try to fix the drive as per Chaslang's instructions given here: http://forums.majorgeeks.com/showthread.php?t=218778.

    I followed Chaslang's instructions given to DoktrMike here: http://forums.majorgeeks.com/showthread.php?t=219822 and attached logs from MBRCheck and MGTools.

    Thank you for all your help in past postings -- they are the only reason that I have any idea what I am talking about. I hope we can get this fixed as it is driving me nuts!
     

    Attached Files:

  2. evantpdx

    evantpdx Private E-2

    These are the logs from the Rootkit Remover scan and subsequent attempt to repair the MBR.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Why are you still using barebones Vista with no service pack updates???

    Did you get a Windows Vista bootable DVD with your PC? You may need this to fix the MBR. Also note that your HP PC has a Recovery Partition and restoring the MBR to a standard Vista MBR could make the Recovery Partition non-useable in the future if every needed.

    Also here is a warning we frequently give people before attempting repairs of the MBR.
    So it is either backup and attempt a fix. Or it is backup and then try using your Recovery Partition to restore the PC to the state it was when you took it out of the box.


    Now please download TDSSKiller from Kaspersky to your directly onto your Desktop
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
    • Allow the application to run if prompted by Windows or any security programs you have installed
    • It will start the scan and run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    • Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )
     
  4. evantpdx

    evantpdx Private E-2

    Not sure why there are no SP updates... Auto updating is on.

    I ran TDSSKiller and it found one item, removed it, and rebooted. Iexplore.exe / isuser.exe have not opened again.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then you should look into this when we finish because you are way out of date. The TDL3 infection you had could cause MS Update to not work but Vista SP1 and SP2 have been out for a very long time so I don't think it would be why. Have you recently tried to get updates manually? Try it just to see if it works or how far it gets.

    Attach a new log from MBRcheck.
     
  6. evantpdx

    evantpdx Private E-2

    Ran MBRCheck again.

    I checked the update history and it had a ton of other updates, no SP1 or SP2 to be found. Updated to SP1, it is searching for more updates right now.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I can see the SP1 update now in MBRcheck. You do need to get all the way up to SP2.

    The MBR still shows as unknown. I'm not sure if this is because of the HP special MBR or if it is really an infection. MBRcheck does recognize quite a few non-standard MBRs including Dell and HP that I have seen in the past. We could attempt to fix this using fixmbr from the Recovery Console if you would like, but remember that the non-standard HP MBR would be overwritten with a Windows MBR and this could affect the ability to use your factory recovery partition if you ever need it also you would bet well served to back up important data first.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Oh and just to give you an example of what I mean by MBRcheck normally recognizing HP MBRs. The below are the last few lines from and MBRcheck scan on an HP computer. The D drive is the Recovery Partition.
    Code:
    \\.\C: --> [URL="file://\\.\PhysicalDrive0"]\\.\PhysicalDrive0[/URL] at offset 0x00000000`00007e00  (NTFS)
    [URL="file://\\.\D"]\\.\D[/URL]: --> [URL="file://\\.\PhysicalDrive0"]\\.\PhysicalDrive0[/URL] at offset 0x00000071`26521600  (NTFS)
    PhysicalDrive0 Model Number: ST3500620AS, Rev: HP24
          Size  Device Name          MBR Status
      --------------------------------------------
        465 GB  [URL="file://\\.\PhysicalDrive0"]\\.\PhysicalDrive0[/URL]   Hewlett-Packard MBR code detected
                SHA1: F362CE084BC77B454330005C1657154A64FB9456
    Which is why I'm still concerned that your MBR may be infected
     
  9. evantpdx

    evantpdx Private E-2

    I have the important data backed up on a separate computer so I'd like to go ahead with the fixmbr. How do I accomplish this?
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's try an easier method first and maybe it will work.

    • Run MBRCheck.exe
    • Wait until you see the following lines:
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
      • Options:
        [1] Dump the MBR of a physical disk to file.
        [2] Restore the MBR of a physical disk with a standard boot code.
        [3] Exit.
        Enter your choice:
    • Please push the 'Y' key and then press Enter
    • When the program asks you to Enter your choice: enter 2 to Restore the MBR and press the Enter key
    • Now the program will ask you to "Enter the physical disk number to fix (0-99, -1 to cancel):"
      • Enter 0 and press the Enter key.
    • The program will show Available MBR codes as below
    • You need to select your version of Windows frrom the list. For example, enter 0 or 1 for XP or enter 3 for Vista.....etc. and then press Enter.
    • The program will prompt for confirmation. Type 'YES' and hit Enter.
    • Left click on the title bar (where program name and path is written). From menu chose Edit -> Select All
    • You will see all the text in the window get highlighted.
    • Hit the Enter key on your keyboard to copy all of the text into the clipboard.
    • Paste that text into Notepad, save it to your desktop as MBRfix.txt
    • Restart your PC.
    • Attach the MBRfix.txt file to your next message..
     
  11. evantpdx

    evantpdx Private E-2

    Ran MBRCheck again.
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that did not work. Back in message # 3 I asked you if you had your Windows boot DVD and you never answered the question? You are going to have boot up outside of Windows to repair the MBR. You can see some instructions on this in the below. Just skip the XP part and go to the Vista section.

    http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds