I Don't Know

It all started a day ago. I caught some nasty thing called protect.exe. I manged to rename it, move it to a folder, and delete it. I knew it wasn't over yet so I went to look up some info on the nasty thing and found my websites were starting to redirect themselves. I downloaded avg because that's what the sight was telling me to do. Turns out avg wouldn't work so I tried avast. I came up with lots of things one in particular was Win:32malware-gen, which lead me to this site. In one of the forums with that exact topic. I tried to follow instructions as good as possible, for every computer is different. After that I decided to fallow the Malware Removal guide. Step by step starting with (Fixing Google Redirection/hijacking and other redirection problems) then moved on to (READ & RUN ME FIRST. Malware Removal Guide) to this (Windows XP Malware Removal/Cleaning Procedure). Thing got worse and then they got better but the problem still isn't solved.

I was able to remove avg with the avg removal guide. I also removed avast because it was not helping. Couldn't get tdsskiller or rootrepel to work. Reloaded java. Ran estscan, mbrcheck, gooredfix, superantispywere, mgtools and malwerebytes. (Note: in the order the forum told me to.) On the other hand combofix starts and begins doing its thing but stops after it gets to the (I'm going to scan for infections should only take about ten minuets) faze. A message popped up saying that a certain virus was on my computer and that it was very dangerous, if I had problems connecting to the internet to reboot and run combofix again. I should of wrote down the exact virus info but I figured combofix would run threw and I'd get a log. I waited 8 hours and combofix never moved from that spot. Tried to run it again and it stopped there as before, only no warning message.

I am at a loss of what to do now. I keep getting a message telling me to update flash player, even when uninstalled. The message will continuously pop up, I got it up to thirty stacks once. A proxy server still happens on my firefox every time I restart the computer, as well as internet explorer. I don't use a proxy, nor do I use internet explorer. Internet explorer will open on its own. My firewall said it was on while it was off and then randomly changes when I look at firewall settings. Several update shield logos will appear next to the clock, mainly when I was running combofix. Not all logs can fit hear. I hope this info will help, and thank you for your time.:major

 

sure can :cool

 

I,m sure I did it right :cry

 

OHH and hello to you
I did exactly as instructions said. Rote the file to the CD and booted from CD. Ran the fixmbr. It said it was a success but still having same issues.

 

No AV protection. As I said before AVG wouldn't work, so I downloaded avast. But avast was spamming me harder than the malwhear, so I had it removed. It was also going to cause conflict with your pro grams. I used AVG removal to get rid of AVG and just un installed avast.

I tried to run combofix again, because you said you wanted a log, but it stalled in the same spot as before.

I deleted the files that you asked and ran the MBRCheck as well as the MGtools. I ran into an error whilst running MGtools that stated [The application failed to initialize properly (0xc0000135)]. HijakThis did not pop up in the proses of running MGtools.

:confused

 

Downloaded enus\x86\mseinstall.exe and found a virus win:32/Patchload.O, was succeeded in disinfect.

Ran fixmbr again and it claimed to be a success. Yes, I am sure that I booted from CD. The first time i tried I messed up and put in a blank CD :-o and tried to run RC off of HD. It got about 3 ticks in and stalled. The CD actually works.

I'm afraid things are getting worse though. I'm starting to see advertisements in words such as harddisk, application, step, ect. I can see them on even your website and windows media player is opening randomly with things I've never seen.

Same error on mgtools.

 

haya guys

@chaslang sorry I wasn't thinking.
this is how it boots

hp pavilion boot screen

black screen saying; Press any key to boot from CD
key pressed space bar

blue screen saying; Setup
Press F6 if you need to install 3rd party device (5 seconds remaining)
Setup is loading files (lots of files)

Setup is starting windows

Windows XP Home Edition Setup
Welcome to setup
This portion of setup program prepares Microsoft (R) Windows (R) XP to run on your computer
-To setup WINDOWS XP now, press Enter.
-To repair a WINDOWS XP installation using Recovery Console, press R
-to quit setup witnout installing WINDOWS XP, press F3
key pressed R

black screen saying, Microsoft Windows XP (TM) Recovery Console
The Recovery Console provides system repair and recovery functionality
Type EXIT to quit the recovery console and restart computer
1:\windows
Wich windows instalation would you like to log onto
{to cancle, press Enter}? key pressed 1 and then Enter
{C:\windows} fixmbr and then enter

a warning about the potential harm this action could do

and then a success note

i could get the rest of the info if i did it again but not until you ask me to

@TimW MGtools is in the main C: drive :confused it's not in a folder or anything. should i uninstall and try to install to c: again?

instaled mbr.exe to C: only once i run it my computer stalls. it gets as far as

Stealth MBR rootkit/Mebroot/Sinowal/TDL4
detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6E040L0
rev.NAR61EAO-> HarddiskO\DRO-> \device\Ide\IdeDevicePOTOLO-3

device: opened successfully
user: MBR read successfully
Kernel: MBR read successfully
user and kernel MBR ok

no log because the computer crashes every time I run it :cry

Note: i maniged to stop some thing from hapinign like the adds in words by using task maniger to close Plugin-container.exe and iexplore.exe to stop the download flash player pop up. should I not do that?

 

I tried everything :major it wont work. I renamed it. Uninstalled it and reloaded it like ten times. It wont do anything. I get the to the run option and click run but nothing happens. This kilobytes.

 

This is what happened

C: NTFS 39198MB \Device\Harddisk4\Partition1

I: 9MB \Devise\Harddisk4\Partition2

H: \Device\CdRom0

 

You are a demigod sir. :-D The fixmbr said it was a success. Managed to remove the useless programs. I have been wanting to get rid of that messenger for ever. fixme.reg was a success. The avenger was a success. I'm not 100% positive that win32kdiag ran all the way through. I wasn't sure what mbrcheck to use so i went with the one on desk top let me know if i should of used the one on c: that i was informed to download earlier. MGtools came up with this error;
HijackThis
Error Details:
An unexpected error has occurred at Proceduure: modMain_CheckOther1Item() Error#5-Invalid procedure Call or argument
Windows version: Windows NT 5.01.2600
MSIE version: 8.0.6001.18702
HijackThis version: 2.0.4
and then came up with this error again;
The application failed to initialize properly (oxc0000135).

I'm not sure the redirection problem is fixed as Internet Explorer opened win I submitted the error for hijackthis. The flash player download pop up has stopped and the plug-in isn't attempting to burn out my cpu. I didn't mention that before but at random my computer would just go bizerker and I would have to stop the process. Thing are running smoother than before and it feels like i have control over my computer again. Somethings still iffy about it though. :major

 

Startup is nasty. It asked me to put in a pass word I had that feature disabled. It took a really long time to lode and still hasn't got the start menu up. The entire screen was black for like sixty seconds and by some miracle I was able to get into the start property's and open desktop feature, just to be able to get back online. Kind of scary and I lost the ability to do everything now. All I have is the internet screen as my last hope. I can can still rig it to get around though just can't close a window or I'll never see it again. LOL

 

Whenever you ran the map command and received this; Did you shutdown or reboot the computer before running the fixmbr \Device\Harddisk4 command?

Or did you run map and fixmbr \device\harddisk4 in the same session while in the recovery console?

 

no i restarted before the fixmbr \harddisk\4

 

Can you boot back into the recovery console, and type the map command again, let us know the output.

Then, DO NOT reboot or shutdown. Just wait for one of us to respond. I'll be online for the next half hour if you're still here to respond.

 

kk but startup is scary i don't know if it will start agin

 

Remember to BOOT FROM THE CD.

 

sorry toulk so long I had to pece together an some old computers and they are slow. slow, it takes like 10 minn to load a page LOL. but any way I got it at the RC and the map said the same thing as it did befor

 

fixmbr \Device\Harddisk1

try that, then reboot and rerun MBRCheck.

 

It tells me that;
The old master boot record cannot be read

 

Ok, just exit out of the recovery console and try the below:

http://img833.imageshack.us/img833/7035/aswmbricon.gif Please download aswMBR by Avast! to your desktop.

• Double-click aswMBR.exe to run it (Vista and Win7 right-click and select Run as Administrator)
• Select No when asked Would you like to download latest Avast! virus definitions?
• Click the [FixMBR] button.
• Follow the prompts and reboot

Once back in Windows, rerun MBRCheck .

 

aswMBR.exe will not open I only have 17 processes running some are oping and closing and I can see in the applications tab SysFadr pops up and disapers when I open apps. but nothing happens when i try to open aswMBR.exe

 

See if Hitman Pro is able to scan: http://majorgeeks.com/Hitman_Pro_d5283.html

If it finds a problem with the MBR, it can attempt to fix it.

 

It worked. Well kind of. It found 16 traces no identified threats. program is still idle right now what should I do?

 

If it's still idle, try rebooting into and rerunning it. Let us know if still finds a problem.

If not, attach a NEW log from MBRCheck.

 

Ran all the way threw. Hears the log.

 

Reboot back into Recovery Console ( the one on the CD / _not_ the one built in into your hard drive )
type in map in the command prompt again.
give me the output once again.
Await for further instructions.

 

You may want to give this tool a try: http://pxnow.prevx.com/antipopureb.exe
Save it to your desktop and run.
It's about the only infection I've heard of that will prevent you from restoring a clean MBR.

The AntiPopurb_Log.txt will appear on your desktop when it has finished. Attach this log to your next message

 

Here it is. Hope that worked

 

map is still the same;

C: NTFS 39198MB \Device\Harddisk4\Partition1
I: 9MB \Device\Harddisk4\Partition2
H: \Device\CdRom0

 

If map is still the same, type the following

fixmbr \device\harddisk4

Not sure why this is not correcting your MBR yet. You're absolutely positive you're running off of the CD correct?

 

It said that it was a success. Ran an MBR cheek and this is what it came up with.

 

Is that what is supposed to happen ?

 

It sounds like you are doing it correctly to me.

I don't mean to doubt you. It's honestly just because I have never seen fixmbr from CD unable to restore a clean MBR. I do not think the other Malware Fighters have either.

You aren't the only one experiencing this problem now though, there are multiple threads currently active where fixmbr / bootrec /fixmbr is simply not resolving the MBR infection.

How are things running on the PC? You are still getting redirected correct?

Please be patient as we try to think of other ideas.

 

We may have to remove a partition from a CD, first let me know if you are able to see it in Windows.

Open My Computer, what Hard Disk Drives are listed?
Do you see any parititon that is around 8-9MEGABYTES (MB) ?

If so, what is the drive letter of this partition?

 

Its OK. I understand you guys are doing your best. I've never seen any thing like this either. That why I am working with you to try a solve this puzzle :major .

Things are a little messed up. It is almost like I am using just a fragment of windows OS to manage. Kind of like I'm in safe mode only not. It is hard to describe. Yes, I believe the redirection problems are still there but not as bad as before. My home page has changed itself to MSN. It has been so long since I changed it I forgot how to put it back:-D.

There is only one HD that is showing [ Local Disk {C:} ] . Not seeing anything about a partitions.
No name. Type: Local Disk. File system: NTFS. Used space: 36,296,814,592bytes 33.8 GB. Free space 4,804,874,240bytes 4.47 GB. Capacity: 41,101,688,832bytes 38.2 GB. Allow Indexing Service to index this disk for fast file serching. All disk drives: Name- Maxtor 6E040L0 Type- Disk drives, Name- HL-DT-ST DVDRRW GWA-4166B Type- DVD/CD-ROM drives.
WARNING{Volumes} Volume information for this disk cannot be found. This may happen if the disk is a 1394 or a USB device on a Windows 2000 machine.
Location: Location 0 (0). Manufacturer: (Standard disk drives). Device status: This device is working properly. Policies: Enable write caching on the disk. Driver Provider: Microsoft. Driver Date: 7/1/2001. Driver Version: 5.1.2535.0. Digital Signer: Not digatally signed.
Driver files:
C:\WINDOWS\system32\DRIVERS\disk.sys
C:\WINDOWS\system32\drivers\PartMgr.sys

I didn't know what to look for so i wrote down everything i could find. Note: I wouldn't let me populate the volumes.

I am able to see the CD on windows.

Just let me know what to do next.:-D

 

Start > Run > diskmgmt.msc
A window called "Disk Management" should open.

Can you take a picture of what is here?

 

Ran the disk management and it came up with this error message: [Logical Disk Manager] The RPC server is unavailable.

Disk Management screen said: Unable to connect to Logical Disk Manager service.

How do you take a screen shot? Never done it before.

 

Were you in Safe Mode when you attempted that?

Doesn't really matter now. Here are the steps to resolve your MBR infection.

You may want to print out the rest of these instructions.
-------------------------------------------------------
I am still working out the kinks of this procedure so let me know if you have any questions before proceeding. A lot of problems with the partition tables are caused by this infection and can take some time to fully resolve.

First, download Download gparted-live-0.10.0-3.iso (115.1 MB)
You will need a blank CD to burn this ISO to. You can burn the .ISO using software like ImgBurn.

Now boot off of this newly created CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png
You should be here...
Press ENTER

http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
Choose your language and press ENTER. English is default [33]

http://img140.imageshack.us/img140/7958/gpartedgui.th.png
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
http://img32.imageshack.us/img32/1122/gpartedo.th.png
According to your logs, the partition that you want to delete is 8.02 MB (MiB)
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:
http://img233.imageshack.us/img233/1533/gpartedsteps.th.png

Now you should be here:
http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png

http://img194.imageshack.us/img194/7753/gpartedboot.th.png
Is "boot" next to your OS drive? -- According to your logs, your OS drive is the 38GB (GiB) size partition.

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:
http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png

Now double-click the http://img822.imageshack.us/img822/641/gpartedexit.png button.

You should receive a small pop up like this:
http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
Choose reboot and then press OK.

Now reboot into the Windows XP recovery console USING THE CD and execute the following commands from the command prompt:

• fixmbr
• fixboot
• exit

Once back in Windows, attempt to rerun MBRCheck and attach its latest log.

 

That was amazing

 

:cool

Are you having any other issues?