Browser redirects and fake security installs (possible rootkits)

Do you have your XP install CD? If not, you can create a recovery console disc here:
This is a download of an .iso file of just the Recovery Console for XP.
Burn to CD with Nero or other 'disc image' capable tool and boot.

XP Recovery Console.

You can use ImageBurn to create the disc.

Go into your bios and change the boot order to CD/DVD as first boot device. Insert the CD and reboot. Once in the Recovery Console type:
fixmbr.

I will look at your logs while you do this.

Once you are done, Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  
  • Done! Press ENTER to exit...
  
  
• Or you will see more information like below if a problem is found:
  
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
  
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message.

 

Why did you run the scans in safe mode?

Now download The Avenger by Swandog46 to your Desktop.

See the download links under this icon
Extract avenger.exe from the Zip file and save it to your desktop.

1. Run avenger.exe by double-clicking on it.
2. Click OK at the warning to continue to use The Avenger
3. Do not change any of the check box options!
4. Shut down your protection software now to avoid possible conflicts.
5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
   
6. Now click the button
7. Click Yes to the prompt to confirm you want to execute.
8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
9. Your PC should reboot, if not, reboot it yourself.
10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now boot into normal mode and run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

1. Run avenger.exe by double-clicking on it.
2. Click OK at the warning to continue to use The Avenger
3. Do not change any of the check box options!
4. Shut down your protection software now to avoid possible conflicts.
5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
   
6. Now click the button
7. Click Yes to the prompt to confirm you want to execute.
8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
9. Your PC should reboot, if not, reboot it yourself.
10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Are you missing any icons on your desktop? Are all your programs showing in Start / All Programs?

What happened when you went into the recovery console and ran fixmbr? Did you get a warning message? Did you get a success message?

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* C:\MGlogs.zip

 

Boot back into the RC and try doing the fixmbr command again. Then re-run MBRCheck and attach the new log.

 

Please use the CD to boot back into the Recovery Console, once there, type:
map
You should get a list, attach that to your next reply so I can see what path you are using.

 

OK, let's try again. Go back into the RC ( Using the CD!! ) and type this:
fixmbr \device\harddisk0

Reboot into normal mode and re-run MBRCheck. Attach the new log.

 

This is disturbing. There is an outside chance that your faked MBR has somehow corrupted your Recovery Console disc, but it would be a first as far as I know.

Can you use another computer to re-create that disc? The other option is to create a Hiram's disc.

 

*** Please print these instructions ***

1. Download Hiren's BootCD Iso to the desktop of a clean computer.
2. Extract the zipped HirensBootCD.zip to your desktop.
3. Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
4. Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
5. Insert a blank CD in your drive.
6. Press Start. This will burn the image to disc. After it has completed...
7. Restart your sick computer and boot from the HBCD you created.
o If your PC is not booting from the CD, you need to change the boot order:
+ Restart your PC
+ As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
+ Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
+ Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
+ The tab should now show your current boot order.
+ If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
+ Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
o Your PC should now boot from your CD.
o Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
8. When the CD boots choose "DOS BootCD".

At the Hiren's BootCD main menu, select Next and hit Enter.

At the second menu select 1 MBR (Master Boot Record)Tools

In the list of MBR Tools select 1 MBR Work 1.08

This screen will show the hard drive configuration.

Type 5 to Install standard MBR code then hit Enter
Type 1 to select Standard then hit Enter
Type Y then hit Enter to confirm
Type E then hit Enter to exit
Press Ctrl+Alt+Del to restart the machine

 

No problem.

 

We are starting to see more and more MBR's that will not get fixed. The last resort is to reformat and re-partition the drive. Let me consult with the other Malware Fighters and see if we can come up with an alternative.

 

I want you to try this tool. Go to:
http://blog.webroot.com/2011/07/08/free-anti-popureb-tool-released/

click on the highlighted words " we are releasing this today to the public" and run the tool. Once done, please re-run MBRCheck and attach the new log.

 

This is disappointing. Let me see if we can find something else.