MBR Rootkit virus found - Please Help.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by MKATTS, Jan 25, 2010.

  1. MKATTS

    MKATTS Private E-2

    I've been trying to get rid of this thing for about a 3 weeks now. Symptoms include:
    A HelpAssistant user was created with Admin rights.
    All of the files in my main user accounts Documents and Setting directory being copied to this Help Assistant user account.
    Frequent computer lockups requiring me to power down to reset.
    Certain websites like eBay and my banks website asking for my personal information and credit card information (including ATM Pin).

    I've deleted the Help Assistant user and all of it's files several times but it keeps returning.

    I've ran through all of the steps in the main thread (files are attached) and still have the same issue.

    Any help would be appreciated.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please run the below tool from Prevx

    Prevx 3.0 use the button that says Download Prevx 3.0

    After running the Prevx scan, reboot and then continue with the below.

    Uninstall the below software:
    Java(TM) 6 Update 16


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  3. MKATTS

    MKATTS Private E-2

    I ran PrevX and it was able to find a rootkt.mbr virus but was not able to remove it. I also updated Java from update 16 to 18.

    I downloaded and ran Avenger and the report says it deleted the files however, as soon as the system rebooted it recreated the HelpAssistant directory and started copying the files again (including the windows/temp files).

    Attached are the latest copies of the log files.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay if PrevX will not remove, you will need your Windows Boot disk so you can get to the Recovery Console to do the below:

    Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

    You can read the below to help you do this:

    http://support.microsoft.com/kb/307654


    After running the fixmbr command and boot back to normal mode, continue with the below.

    Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds