MBR Code Faked! Virus and Redirect issues

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by JAGUAR59, Nov 27, 2011.

  1. JAGUAR59

    JAGUAR59 Private E-2

    I am working on a computer that has viruses and is causing browser redirect. TDSKiller will not load even if renamed and ComboFix starts but does not run. I have run Malwarebytes, SuperAntiSpyware, MGLogs and MBRCheck. The logs are attached. Thank you in advance for your support.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have an infected Partition on your hard disk. Your logs show the below which is being used to start up you computer with this infected partition:

    Partition Disk #0, Partition #2
    Partition Size 8.72 MB (9,143,808 bytes)



    Preferably from a clean computer, I need you to download the below:
    Create a bootable CD for each of the aboe ISO files. One for Gparted and one for the Windows XP Recovery Console, from the ISO images. You can use ImgBurn do this.
    Now boot off of the newly created Gparted CD.

    [​IMG]
    You should be here...
    Press ENTER
    [​IMG]
    By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
    [​IMG]
    Choose your language and press ENTER. English is default [33]
    [​IMG]
    Once again, at this prompt, press ENTER
    You will now be taken to the main GUI screen below
    [​IMG]
    According to your logs, the partition that you want to delete is 8.72 MB (9,143,808 bytes)

    Click the trash can icon to delete and then click Apply.
    You should now be here confirming your actions:
    [​IMG]
    Now you should be here:
    [​IMG]
    [​IMG]
    Is boot next to your OS drive?
    If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags
    In the menu that pops up, place a checkmark in boot like the picture below:
    [​IMG]
    Now double-click the [​IMG] button.
    You should receive a small pop up like this:
    [​IMG]
    Choose reboot and then press OK.

    Now reboot from the Windows XP Recovery Console CD and execute the following commands:
    • fixmbr \Device\HardDisk0
    • fixboot c:
    • exit
    Once back in Windows continue with the below instructions.

    Now rerun MBRCheck and attach a new log.


    Also ow run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  3. JAGUAR59

    JAGUAR59 Private E-2

    Just want to confirm on this step below that I should choose the R for repair to get to a dos prompt to run the following commands.

    Now reboot from the Windows XP Recovery Console CD and execute the following commands:
    fixmbr \Device\HardDisk0
    fixboot c:
    exit
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you are trying to get to the command prompt of the Recovery Console to run those commands.
     
  5. JAGUAR59

    JAGUAR59 Private E-2

    Successfully fixed the partition and MBR, MBRcheck file is attached. Should I now rerun malware scans?
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That looks better!

    Are you having any redirection issues now?

    Please attach the new MGlogs.zip file I requested.
     
  7. JAGUAR59

    JAGUAR59 Private E-2

    Does not seem to be redirecting now. Looks a lot better. I am sorry I did not attach the MGlogs last time, I was impressed with fixing the MBR and forgot to attach them. I did reset system restore to delete old system restore files as you will see in the logs. Thanks for your help.
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.




    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. After doing the above, you should work thru the below link:
     
  9. JAGUAR59

    JAGUAR59 Private E-2

    Thank you for your wonderful support! You all are the best
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds