Browser Hijacker/Think Point Virus

s4ross · Nov 24, 2010

Hey, I am in dire need of some help with a browser hijacker.

Last week I got the Think Point virus; it presented itself as a Microsoft virus scanner and I allowed it to install itself before realizing what it was. I immediately downloaded Malwarebytes' Anti-Malware, Spybot Search and Destroy and Ad-Aware, and ran all three. I'm not even sure if I get rid of the virus successfully, because my computer has still been incredibly slow and acting strange.

As for the browser hijacker, it's been preventing me from accessing even the simplest of sites, re-routing me to garbage websites instead. I'm not sure how to even tackle this part of the problem, so I'll post all the necessary logs below, as well as the attached one, and hope that someone can help me! I appreciate any assistance at all.

Cheers,
Sarah

LOGS:

DDS.txt. LOG:

GMER.log:

chaslang · Nov 24, 2010

Welcome to Major Geeks!
Download TDSSKiller from Kaspersky to your directly onto your Desktop

Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )

Allow the application to run if prompted by Windows or any security programs you have installed

It will start the scan and run rather quickly and will notify you of whether anything is found or not.

Follow the instructions to delete/quarantine if asks you what to do when if finds something.

Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

If still having problems after running the above then work thru the below and attach the requested logs.

READ & RUN ME FIRST. Malware Removal Guide

s4ross · Nov 25, 2010

Hey chaslang,

Thanks for the help. I ran the TDSSkiller and went through the malware removal guide steps, and have all the logs. I still have the browser hijacker though.

In this reply I've attached the logs for TDSS, SAS, Malwarebytes, and Combofix. I'll attach the rest in another reply.

Thanks!!
Sarah

s4ross · Nov 25, 2010

Attached are the RRlog and MGlogs.zip.

chaslang · Nov 25, 2010

You're welcome.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Mozilla Firefox (3.5.15)

Now we need to use ComboFix

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.

If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.

Open Notepad and copy/paste the text in the below quote box into it:

KILLALL::

File::
C:\WINDOWS\system32\-1
C:\WINDOWS\system32\123.js
C:\Documents and Settings\Rebbeca\Local Settings\Temp\g6V0Uasb.exe.part
C:\WINDOWS\Tasks\wscupdtr.job
Fcopy::
C:\WINDOWS\ServicePackFiles\i386\explorer.exe | C:\WINDOWS\explorer.exe
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe | C:\WINDOWS\system32\winlogon.exe
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ACB1E670-3217-45C4-A021-6B829A8A27CB}"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
Click to expand...

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

C:\ComboFix.txt

C:\MGlogs.zip

Make sure you tell me how things are working now!

s4ross · Nov 25, 2010

Hey! I followed your instructions and have attached the two logs. After running them, I spent some time on my browser and now I can't find any signs of the hijacker at all! Do you think it's likely that these steps have gotten rid of it?

Let me know what your thoughts are on the situation being fixed.

Thanks again!

chaslang · Nov 25, 2010

Looks better but let's run one more scan with ComboFix ( just double click on it to run it ) to make sure that the below are not still being detected. If they are, you will likely need to boot from your Windows XP Home CD to restore this from the Recovery Console.

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe
Click to expand...

s4ross · Nov 26, 2010

I ran Combofix again and unfortunately the same stuff is being detected. I know that I don't have a Windows XP Home CD but perhaps I can find something online?

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{75E2BA47-5985-4D43-B137-5E543EC436D9}\RP13\A0006598.EXE

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

chaslang · Nov 26, 2010

Please also download MBRCheck to your desktop

Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)

It will show a Black screen with some information that will contain either the below line if no problem is found:

Done! Press ENTER to exit...

Or you will see more information like below if a problem is found:

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.

MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

s4ross · Nov 26, 2010

I ran MBRcheck and a problem was found, though my computer seems to be running pretty well. See attached.

chaslang · Nov 27, 2010

Where did this second ( TOSHIBAMK2555GSX ) drive come from? It did not show in your first logs. Was it just added? Is it some kind of external device? The boot record on it is non-standard. It may or may not be infected. We really cannot tell from the MBRcheck log for sure. What data is on it and how much?

Please run GMER per the below link and attach the log. Make sure the second drive is connected.

GMER - running with a random name

When you say "my computer seems to be running pretty well" do you mean you are not getting redirected anymore? Your winlogon.exe and explorer.exe files are still infected and need to be fixed. Without your Windows Boot CD, it is much more difficult to do.

s4ross · Nov 27, 2010

I have Verbatim External HD as well as a Kingston Data Traveler USB Thumb Drive. I think the Kingston Thumb Drive may be the one showing up as "Toshiba".

Verbatim HD: 43 GB of music and documents
USB Drive: 0.98 GB of just music

chaslang · Nov 27, 2010

s4ross said: ↑

I think the Kingston Thumb Drive may be the one showing up as "Toshiba".
Click to expand...

I doubt it. The drive showed as 232 GB which would more likely be your Verbatim drive.

Can you backup the data on this drive some where else before we try to fix the master boot record?

You need also run GMER as requested and answer my question. See msg # 11.

s4ross · Nov 27, 2010

You're right, it must be the Verbatim, as it has 232 GB total space. I'm worried about backing the files up on another external, I don't want to infect someone else's external too. For now I've backed my documents up on my C drive, but I don't know if that helps, maybe files will get erased during the master boot record?

If you recommend that it's best to save everything on another external (and that it won't get infected as well), then I'll do that so we can proceed with the master boot.

Thanks!!

chaslang · Nov 27, 2010

s4ross said: ↑

I'm worried about backing the files up on another external, I don't want to infect someone else's external too. For now I've backed my documents up on my C drive, but I don't know if that helps, maybe files will get erased during the master boot record?
Click to expand...

According to your logs, the C drive had 51,142,672,384 bytes free. See if you can save everything to it. Once you do this, will will attempt to rewrite the MBR of the external drive. The external drive is the only one with the "faked MBR". The C drive was okay in your MBRcheck log.

s4ross · Nov 27, 2010

I've moved everything over to my C drive. I'm ready to rewrite the external!

chaslang · Nov 27, 2010

Run MBRCheck.exe

Wait until you see the following lines:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:

Please push the 'Y' key and then press Enter

When the program asks you to Enter your choice: enter 2 to Restore the MBR and press the Enter key

Now the program will ask you to "Enter the physical disk number to fix (0-99, -1 to cancel):"

Enter 1 and press the Enter key.

The program will show Available MBR codes as below

Enter the physical disk number to fix (0-99, -1 to cancel): 1
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive:
Click to expand...

You need to select your version of Windows frrom the list. For example, enter 0 or 1 for XP or enter 3 for Vista.....etc. and then press Enter.

The program will prompt for confirmation. Type 'YES' and hit Enter.

Left click on the title bar (where program name and path is written). From menu chose Edit -> Select All

You will see all the text in the window get highlighted.

Hit the Enter key on your keyboard to copy all of the text into the clipboard.

Paste that text into Notepad, save it to your desktop as MBRfix.txt

Restart your PC.

Attach the MBRfix.txt file to your next message.

s4ross · Nov 28, 2010

Hi, I ran the MBR fix, and have attached the log. I checked my external hard drive and the docs are still there intact. I also checked for the browser hijacker and it's still present as well.

chaslang · Nov 28, 2010

s4ross said: ↑

Hi, I ran the MBR fix, and have attached the log. I checked my external hard drive and the docs are still there intact.
Click to expand...

OKay now let's see if it fixed the MBR. Run MBRcheck exactly like requested in message # 9 and attach the new log.

s4ross said: ↑

I also checked for the browser hijacker and it's still present as well.
Click to expand...

Yes that is because of the winlogon.exe and explorer.exe infections ( and perhaps other files are infected too ). Since you don't have your Windows CD to boot to, you will likely have to make a different boot CD that you can use to boot up from. Then while Windows is not running, you may be able to replace the infected files with good ones which I can supply you with. Do you have the ability to burn CDs and do you know how to set your BIOS boot order so that you can boot from the CD first rather than from the hard disk?

s4ross · Nov 28, 2010

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 132):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF8B78000 \WINDOWS\system32\KDCOM.DLL
0xF8A88000 \WINDOWS\system32\BOOTVID.dll
0xF8629000 ACPI.sys
0xF8B7A000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF8618000 pci.sys
0xF8678000 isapnp.sys
0xF8C40000 pciide.sys
0xF88F8000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF8B7C000 intelide.sys
0xF8688000 MountMgr.sys
0xF85F9000 ftdisk.sys
0xF8900000 PartMgr.sys
0xF8698000 VolSnap.sys
0xF85E1000 atapi.sys
0xF86A8000 disk.sys
0xF86B8000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF85C1000 fltmgr.sys
0xF85AF000 sr.sys
0xF86C8000 PxHelp20.sys
0xF858B000 Fastfat.sys
0xF8574000 KSecDD.sys
0xF8547000 NDIS.sys
0xF86D8000 ohci1394.sys
0xF86E8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF852D000 Mup.sys
0xF8718000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF8AFC000 \SystemRoot\system32\DRIVERS\tunmp.sys
0xF8728000 \SystemRoot\System32\DRIVERS\processr.sys
0xF8450000 \SystemRoot\System32\DRIVERS\ialmnt5.sys
0xF843C000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF8918000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF8418000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF8920000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF8738000 \SystemRoot\System32\DRIVERS\AN983.sys
0xF8748000 \SystemRoot\System32\DRIVERS\serial.sys
0xF8B00000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF8928000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF83DC000 \SystemRoot\System32\DRIVERS\parport.sys
0xF8758000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF8768000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF8778000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF83B9000 \SystemRoot\System32\DRIVERS\ks.sys
0xF8930000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF838D000 \SystemRoot\system32\drivers\STAC97.sys
0xF8369000 \SystemRoot\system32\drivers\portcls.sys
0xF8788000 \SystemRoot\system32\drivers\drmk.sys
0xF84C4000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF8798000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF8B08000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF8352000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF87A8000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF87B8000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF8938000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF82A1000 \SystemRoot\System32\DRIVERS\psched.sys
0xF87C8000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF8940000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF8948000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF87D8000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF8950000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF8958000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF8B7E000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF8243000 \SystemRoot\System32\DRIVERS\update.sys
0xF8B18000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF87E8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF0185000 \SystemRoot\system32\drivers\ialmsbw.sys
0xF0174000 \SystemRoot\system32\drivers\ialmkchw.sys
0xF8960000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF8818000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF8B80000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF84A0000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xF849F000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF8B82000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF849E000 \SystemRoot\System32\Drivers\Null.SYS
0xF8B84000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8970000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF8978000 \SystemRoot\System32\drivers\vga.sys
0xF8B86000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8B88000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF8980000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8988000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8B58000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF0119000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF00C0000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF0098000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF0060000 \SystemRoot\system32\DRIVERS\tcpip6.sys
0xF8B60000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF003E000 \SystemRoot\System32\drivers\afd.sys
0xF8838000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF001C000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF8990000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEFFF1000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xEFF81000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF8848000 \SystemRoot\System32\Drivers\Fips.SYS
0xEFF5B000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF8858000 \SystemRoot\system32\drivers\ip6fw.sys
0xF8868000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF8878000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF8998000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xF8404000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF8888000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF8400000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF83FC000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF89A0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF88A8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEFE7B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8B8A000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF8237000 \SystemRoot\System32\drivers\Dxapi.sys
0xF89A8000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8CEE000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF01E000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF036000 \SystemRoot\System32\ialmdev5.DLL
0xBF05F000 \SystemRoot\System32\ialmdd5.DLL
0xEFC35000 \SystemRoot\system32\DRIVERS\nwlnkipx.sys
0xF8898000 \SystemRoot\system32\DRIVERS\nwlnknb.sys
0xEFD83000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF82D2000 \SystemRoot\system32\DRIVERS\nwlnkspx.sys
0xEFAB8000 \SystemRoot\system32\drivers\wdmaud.sys
0xF82F2000 \SystemRoot\system32\drivers\sysaudio.sys
0xEF73D000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF8BC6000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF89B0000 \??\C:\WINDOWS\system32\ANIO.SYS
0xEF5CD000 \SystemRoot\System32\DRIVERS\srv.sys
0xF89C0000 \SystemRoot\system32\drivers\npf.sys
0xEEF9C000 \SystemRoot\System32\Drivers\HTTP.sys
0xEFB3D000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xEDBFC000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\System32\ntdll.dll

Processes (total 39):
0 System Idle Process
4 System
592 C:\WINDOWS\System32\SMSS.EXE
640 CSRSS.EXE
664 C:\WINDOWS\System32\WINLOGON.EXE
720 C:\WINDOWS\System32\SERVICES.EXE
732 C:\WINDOWS\System32\LSASS.EXE
880 C:\WINDOWS\System32\SVCHOST.EXE
944 SVCHOST.EXE
1032 C:\WINDOWS\System32\SVCHOST.EXE
1252 SVCHOST.EXE
1464 C:\WINDOWS\EXPLORER.EXE
1492 C:\WINDOWS\System32\SPOOLSV.EXE
2008 C:\WINDOWS\System32\IGFXTRAY.EXE
2020 C:\WINDOWS\System32\HKCMD.EXE
2036 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
148 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
164 C:\Program Files\iTunes\iTunesHelper.exe
172 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
272 C:\Program Files\Skype\Phone\Skype.exe
304 C:\WINDOWS\System32\CTFMON.EXE
420 SVCHOST.EXE
452 C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
488 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
520 C:\Program Files\Bonjour\mDNSResponder.exe
568 C:\Program Files\HP\Digital Imaging\BIN\HPQTRA08.EXE
612 C:\Program Files\Java\JRE6\BIN\JQS.EXE
888 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
1060 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
1284 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
1636 C:\WINDOWS\System32\SVCHOST.EXE
1696 WDFMGR.EXE
108 C:\Program Files\HP\Digital Imaging\BIN\HPQSTE08.EXE
2176 C:\Program Files\iPod\BIN\iPodService.exe
2292 C:\WINDOWS\System32\WSCNTFY.EXE
2732 ALG.EXE
3184 C:\WINDOWS\System32\SVCHOST.EXE
3416 C:\Program Files\Skype\Plugin Manager\skypePM.exe
1452 C:\Documents and Settings\Rebbeca\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: WDCWD800BB-00CAA1, Rev: 17.07W17
PhysicalDrive1 Model Number: TOSHIBAMK2555GSX, Rev:

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
232 GB \\.\PhysicalDrive1 MBR Code Faked!
SHA1: 4027C9F3C5A8818B1BDCED4AF43C34A4232F5C5A

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

I have access to a CD burner via my friend's computer but neither of us have a Windows XP disc. So, I have a few questions:

1. How do I go about creating a Windows XP Boot CD?
2. How do I change the BIOS boot order to boot from a CD instead of my hard drive?
3. How do I boot the computer so that Windows isn't running?
4. When do I replace the infected winlogon.exe and explorer.exe applications during this process?

Please advise.

chaslang · Nov 28, 2010

Please remember to attach logs when we say to attach them.

This shows that the MBR was not fixed. Let's try fixing it a different way but a Windows CD may yet be needed.

Download bootkit_remover.rar

Click the underlined DOWNLOAD text to download the file and save it to your Desktop.

You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip

After extracing remover.exe to your Desktop, double click the remover.exe file to run the program.

Attach or post inline here, the output from remover.exe

NOTE: The Command Prompt window text can be copied to the clip board by right clicking on the top bar of the window and using the Edit commands to Mark, Copy, and Paste.

s4ross · Nov 28, 2010

Hi, sorry about the last attachment! I've attached the Bootkit remover log, it seems to look good.

chaslang · Nov 29, 2010

You need to have the second drive plugged in so that it can be checked. Your log shows only physicaldrive0 ( the 74 GB drive ) which we know was okay from the previous logs.

s4ross · Nov 29, 2010

The second drive was plugged in, I'm not sure why it didn't show up. I tried unplugging and plugging it back in, and knew it was working because I could access the files on it. I tried running the bootkit twice, and both times it gave me the same results as though the external wasn't plugged in. I'm not sure why it's happening.

chaslang · Nov 29, 2010

Okay I see the problem. The author has made the program more difficult to use and now only scans the system root drive by default. Special options are now necessary to scan other drives which is a little silly since you need to know the device list before you can make a special command in order to scan it.

Make sure you have the remover.exe file directy on your Desktop and then do the below.

Click Start, Run, and enter the below into the Run box and click OK. Note you must copy it exactly as is with the quotes so use copy and paste (ignore the underline of the physical drive. The underline is caused by Vbulletin software. )

"%userprofile%\Desktop\remover.exe" check \\.\PhysicalDrive1

After it runs a bootkit_remover_debug_log.txt file will be on your Desktop. Attach this file to your next message.

s4ross · Nov 29, 2010

You were right, this time it worked. I attached the log.

Sorry this is taking so long, I really appreciate all the time you are putting into helping me.

chaslang · Nov 30, 2010

You're welcome. Now using the same method, run the below command.

"%userprofile%\Desktop\remover.exe" fix \\.\PhysicalDrive1

After running the above, attach a new log from MBRcheck.

s4ross · Nov 30, 2010

Hi, I ran it, but it didn't seem too successful. It didn't automatically save a log on my desktop, but I had copied it, so put it into notepad.

I also noticed that after running it, I haven't been able to attach anything to emails. There's an error message that says the fail may be due to a firewall or proxy. Not sure if this is related, though.

chaslang · Nov 30, 2010

s4ross said: ↑

Hi, I ran it, but it didn't seem too successful.
Click to expand...

Correct! It was not a success. Does the drive still work? Can you see your files still.

Unplug this drive a leave it unplugged for now. Let's see if we can address the problems with your infected Windows files while this drive remains disconnected so that it cannot be a possible problem.

We really need your Windows boot CD so that the files can be replaced from the Recovery Console. Is there a way you can borrow a CD from someone?

s4ross said: ↑

I also noticed that after running it, I haven't been able to attach anything to emails. There's an error message that says the fail may be due to a firewall or proxy. Not sure if this is related, though.
Click to expand...

Does not sound related at all. Is this still a problem after a reboot.

s4ross · Dec 1, 2010

Unfortunately, I don't own a Windows boot disk, nor do any of my friends. I googled "boot disk" and came up with www.bootdisk.com, but that only led me to the Microsoft website, which suggested I purchase one.

However, my friend was saying that he has a CD Image of Windows XP that he could burn onto a CD-Rom. Would it be possible to use this as a boot disk?

If so, please explain how I proceed with booting my computer up from this disc and not from the drive itself.

Thanks!

chaslang · Dec 2, 2010

s4ross said: ↑

However, my friend was saying that he has a CD Image of Windows XP that he could burn onto a CD-Rom. Would it be possible to use this as a boot disk?
Click to expand...

No! It needs to be a Windows XP boot CD not an image of what was already installed. You need to be able to boot the CD and run the Recovery Console.

Try the following.

Download this >>> http://www.thecomputerparamedic.com/files/rc.iso

This is a download of an .iso file of just the Recovery Console for XP. Burn it to CD with Nero or other 'disc image' capable tool and boot.

It looks just like the start of a normal XP CD, but will only offer the Recovery Console by pressing "R."

All normal Recovery Console procedures can be run from this utility.

You will need to set the boot order in your BIOS to boot from CD before it boots from hard disk.

If you can get the above CD to work and boot to the Recovery Console then let me know and we will try another method to repair your infected Windows files.

s4ross · Dec 2, 2010

Success! Progress has been made. I made the CD, tried it, and can access the recovery console on my computer.

I should probably tell you that I'm leaving town on Saturday and won't have access to my computer for about a week and a half. I'll be at home all day tomorrow with access to my computer so I can be on top of working on this!

chaslang · Dec 4, 2010

Okay let's do some preparation work we need to do before trying to use the Recovery Console CD.

Please download and save this XPsp3bu.exe to your C:\ root folder ( or to your Desktop if you have a problem saving to the root). You must do this properly. Now run the XPsp2bu.exe program by double clicking on it. You may or may not notice a quick flash of a black window. This is normal. The program runs quickly and just extracts some files we need.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

After MGtools.exe finishes running, locate the C:\MGtools\FixbamRC.bat file and run it by double clicking on it. It will just flash a black screen image really quickly.

Now attach the below logs:

C:\MGlogs.zip

also attach the C:\MGtools\fix.txt log file.

After I see these new logs, I will give you the next instructions where we will attempt to use the Recovery Console!

Browser Hijacker/Think Point Virus

s4ross Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

Attached Files:

s4ross Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

s4ross Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member