MBR Virus: IEXPLORE.exe, ad pop-ups, wave audio control goes mute

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DaveOCLV, Jul 8, 2010.

  1. DaveOCLV

    DaveOCLV Private E-2

    I have the same issue as listed below:
    "IEXPLORE.exe, ad pop-ups, wave audio control goes mute"
    http://forums.majorgeeks.com/showthread.php?p=1507149

    And I seem to have fixed it using the exact method described for remove.exe.

    Before:
    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive0
    MD5: 4c00ddc7732c58a1d68ef0527b90539d

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>

    After:
    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive0
    MD5: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    However, I am still not allowed to delete
    "C:\System Volume Information\Microsoft".
    as stated in the procedure. It is protected.
    I have tried the procedure Microsoft recommends:
    http://support.microsoft.com/kb/309531
    For Windows XP Pro, 32-bit standalone.
    However, I cannot enable myself (as a user), there instead is a user called SYSTEM (that never existed before).

    As such, I have not reenabled System Restore.

    Thanks
    -Dave
     
    DaveOCLV, Jul 8, 2010
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    System Volume Information is a folder protected by the operating system and is used for System Restore. You need to first disable system restore on all drives. Then see if you can access the folder and delete files. If not, then retry the procedure with cacls to setup the proper permissions which malware may have corrupted. Also you can right click on the folder and select Properties and then the Security tab and change the permissions to grant yourself access but only after system restore is disabled or by booting in safe mode as the link you referred to indicates.
     
    chaslang, Jul 9, 2010
    #2
  3. DaveOCLV

    DaveOCLV Private E-2

    Thanks -
    I did manage to give myself Modify rights to the folder.
    There was no subfolder "Microsoft".
    I reenabled system restore, rebooted, and was able to create several restore points.

    The computer seems to work fine now.

    I want to thank you and the contributors of this site for the very concise help on these issues. I had posted a "thanks" reply, but it may have been deleted prior to your response.
    Thanks again
    -Dave
     
    DaveOCLV, Jul 9, 2010
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 9, 2010
    #4
  5. DaveOCLV

    DaveOCLV Private E-2

    Thanks Thanks Thanks!
    Without you help and your amazing web site, we would be doomed.
    -Dave
     
    DaveOCLV, Jul 10, 2010
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Jul 11, 2010
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds