BSOD, Internet Redirection, Trojan? Help please!

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

Ah!!! This is important information. You have a new form of Master Boot Record infection. Do you have your Windows 7 Boot DVD. We need to boot into the System Recovery Environment to fix this problem.

 

I'm not sure if this is the correct disk or not. Is this a bootable disk that allows you to get to the System Recovery Options screen which looks like the below?

http://forums.majorgeeks.com/chaslang/images/Win7/SysRecOptions.jpg

 

Let's try something that may be able to spare us from needing a bootable Win 7 DVD. Please download, install and run the below tool from Kaspersky which may be able to locate and fix the root cause of this problem which will be a .sys files that has been infected by a TDL infection:

Kaspersky Virus Removal Tool

Attach a log from this tool and let us know if it help.

 

It did not find what we are looking for.

Good you will need it now.

Put the disc into the drive and reboot with the DVD. We are going to be running the Bootrec.exe command from the Command Prompt per the below instructions.

1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Now type Bootrec.exe /fixmbr and then press ENTER.
   • NOTE: There is a space before the /fixmbr

Then reboot your PC and see how things are working. Also see if you can get TDSSKiller to work properly now. If it runs 100%, all is likely good.

 

Well that's not good. When you ran the bootrec command did you run into any problems? Were there any messages?

Can you still boot up this CD and get to the Command Prompt?

 

Oh and just a note. The 0x0000007B type error message can sometimes occur when there is a master boot record infection and that is exactly what we are trying to fix. Thus it almosts seems like the rewrite of the MBR did not completely work for some reason.

It could also occur do to a faulty driver which again could be due to the infection.

 

Thinking about it. Not sure what went wrong since we have used this many many times without a problem. Even used it quite a few times on this new infection that you have.

Try getting into the command prompt and running a slightly different command

Bootrec.exe /fixboot

 

If you still get a BSOD, tell me if it mentions and .SYS file name in the error message.

 

When you first get to the command prompt, exactly what text do you see in the window?

 

Okay type in the below and hit enter and tell me what the prompt changes to.

C:

 

Okay then now enter the below commands and hit enter after each one. Remember the space after bootrec and make sure of the direction of the /

bootrec /fixmbr

exit


Will Windows run now?

 

I want to see if we can diagnose your BSOD further and if anymore info is present.

• When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
• Select "Disable Automatic Restart on System Failure" from the menu which should look something like below:

http://forums.majorgeeks.com/chaslang/images/WinAdvOptionsMenu.jpg

• When your system BSODs, write down the STOP error code, as well as any written out error messages back here. The STOP error will always appear, but the message may not. See if any file names are mentioned anywhere.

 

Okay. Does it allow you to get past the BSOD now without rebooting?

 

Boot from your DVD again ( see the image in message # 6 ) and this time instead of selecting the Command Prompt, select the Startup Repair option and see if that helps.

 

Well let's try the System Restore option and go back to a restore point from a day or two back.

 

Running out of options..... Will it boot up in Safe Mode?

 

Sorry, I was not able to be around for awhile due to real work.

Excellent! I did not read all of your other post but that was the direction I was headed in too. It seem like the information for which partition had the active Windows installation was lost somehow.


What I want you to run now is TDSSKiller and attach the log as requested in the below.

TDSSkiller - How to run

 

Looks like those cleaned up a few more issues ( different ones ). Looks good now but note that you are way out of date with Malwarebytes and need to get properly updated to the current version and the current database.

It due to how you have your drive partitioned. In the MGlogs.zip file you can see the below info which is snipped out of the sysinfo.txt log. I edited this to shorten up and to display only important info.

Code:

Drive C: 
Description Local Fixed Disk 
File System NTFS 
Size 297.99 GB (319,965,622,272 bytes) 
Free Space 229.14 GB (246,039,773,184 bytes) 
 
[Disks]
Item Value 
Description Disk drive 
Model FUJITSU MHZ2320BH G1 ATA Device 
Media Type Fixed hard disk 
Partitions 2 
Size 298.09 GB (320,070,320,640 bytes) 
Partition Disk #0, Partition #0 
Partition Size 100.00 MB (104,857,600 bytes) 
 
Partition Disk #0, Partition #1 
Partition Size 297.99 GB (319,965,626,368 bytes) 
 

Notice that you have a couple of partitions. Partition # 0 is the 100 MB one you mentioned. Not sure what you had on it but it may be from a old system or setup of some sort since it is too small to be a factory recovery partition.




If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

It should have been removed when you ran MGclean.bat. But the answer is no do not keep it. It should be download anytime the program is needed so that you have the correct version since it updates frequently.

You can check discuss this more in the Software Forum if you need to after reading the below, because it is not a malware issue. See:

http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/can-i-delete-the-system-reserved-partition-from/656014d2-a516-46e6-a841-d0f9333ecb48


http://social.technet.microsoft.com/Forums/en-US/w7itproinstall/thread/76116c99-f69a-421b-b188-0ebad4a19b9d/

 

You're welcome. Surf safely!