Rootkit found on a USB drive

Can you then attach all of the requested logs then if you have worked your way through the R&R as you said. Thanks.

 

Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

 

Please boot back into the Recovery console and at the command prompt ( with the USB backup drive connected) type:
fixmbr \device\harddisk2

Then boot back to normal mode and re-run MBRCheck and attach the log.

 

We can try using MBRCheck.

* Run MBRCheck.exe
* Wait until you see the following lines:
o Enter 'Y' and hit ENTER for more options, or 'N' to exit:
o Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:

* Please push the 'Y' key and then press Enter
* When the program asks you to Enter your choice: enter 2 to Restore the MBR and press the Enter key
* Now the program will ask you to "Enter the physical disk number to fix (0-99, -1 to cancel):"
o Enter 2 and press the Enter key.
* The program will show Available MBR codes as below

* You need to select your version of Windows from the list. For example, enter 0 or 1 for XP or enter 3 for Vista.....etc. and then press Enter.
* The program will prompt for confirmation. Type 'YES' and hit Enter.
* Left click on the title bar (where program name and path is written). From menu chose Edit -> Select All
* You will see all the text in the window get highlighted.
* Hit the Enter key on your keyboard to copy all of the text into the clipboard.
* Paste that text into Notepad, save it to your desktop as MBRfix.txt
* Restart your PC.
* Attach the MBRfix.txt file to your next message..

Now please re-run MBRCheck.exe and attach that log also.

 

Can you backup what files you have on that disc? You may need to just reformat it to rid yourself of the bad MBR.

 

Yes, it should. After doing that, re-run MBRCheck to be sure.

 

*** Please print these instructions ***

1. Download Hiren's BootCD Iso to the desktop of a clean computer.
2. Extract the zipped HirensBootCD.zip to your desktop.
3. Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
4. Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
5. Insert a blank CD in your drive.
6. Press Start. This will burn the image to disc. After it has completed...
7. Restart your sick computer and boot from the HBCD you created.
o If your PC is not booting from the CD, you need to change the boot order:
+ Restart your PC
+ As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
+ Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
+ Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
+ The tab should now show your current boot order.
+ If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
+ Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
o Your PC should now boot from your CD.
o Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
8. When the CD boots choose "DOS BootCD".
http://noahdfear.net/10.2_startup.gif
At the Hiren's BootCD main menu, select Next and hit Enter.
http://noahdfear.net/main_menu.gif
At the second menu select 1 MBR (Master Boot Record)Tools
http://noahdfear.net/menu2.gif
In the list of MBR Tools select 1 MBR Work 1.08
http://noahdfear.net/mbr_tool.gif
This screen will show the hard drive configuration.
http://noahdfear.net/mbr_tool_fix.gif
Type 5 to Install standard MBR code then hit Enter
Type 1 to select Standard then hit Enter
Type Y then hit Enter to confirm
Type E then hit Enter to exit
Press Ctrl+Alt+Del to restart the machine

 

With the drives configured the way you now have them, try using the Recovery Console again. This time, type in:
fixmbr \device\harddisk1

Then re-run MBRCheck again.

 

You need to re-partition the drive. You can try using one of these tools:

diskpart.exe - from the Windows Recovery Console

GParted - http://gparted.sourceforge.net/livecd.php - MGs link: GParted Live

Parted Magic - http://partedmagic.com/doku.php

Partition Logic -http://partitionlogic.org.uk/

Cute Partition Manage - http://www.cutepm.com/

Make sure you are working on the correct drive:

http://support.microsoft.com/kb/300415

 

Another suggestion for you is to disconnect all but the boot drive and see if you are having any issues.

 

What issues are you having when the external USB is connected? You may just have to live with it, since we are not getting it repaired. If you aren't having issues of a malware nature, then you may just have to let it go.

 

You are most welcome. Let me know what you find out and if you can fix it.

In the meantime:

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

Help Support MajorGeeks
Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

MajorGeeks on FaceBook