background clicks, ad popups, iexplore.exe etc.

Discussion in 'Malware Help (A Specialist Will Reply)' started by canthaxanthin, Aug 6, 2010.

  1. canthaxanthin

    canthaxanthin Private E-2

    Hi,

    Firstly, I'm aware this issue is (I think) typically caused by MBR issues; I'm also aware there are a few similar topics, but I've never needed to resolve a boot record problem before and I'm not sure of the process as might relate to my computer specifically.

    To hopefully save you time, since I'm fairly confident my system is clean of anything else, I'll just include the Bootkit Remover info to confirm:


    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\F:
    \\.\F: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 43681238a36fcdb2537088be090c7e39

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...


    If you can advise about the exact steps I need to take to fix this (or make any other suggestions), it'd be very much appreciated!
     
    canthaxanthin, Aug 6, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I need to ask some questions:
    1. Do you have any drives that has a non-windows installation on them
    2. Are all drives NTFS formatted
    3. Do you have any non-standard or special MBRs which can occur from companies like Dell or HP who frequently install additional partitions used for recovery partitions in lieu of giving CD/DVDs.
    4. Is any program like Grub ( see:http://www.gnu.org/software/grub/ ) being used
    5. Is drive-encryption being used?
    6. Are any drives external USB pen drives or external hard drives being used?
    7. VERY IMPORTANT: Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.
     
    Kestrel13!, Aug 7, 2010
    #2
  3. canthaxanthin

    canthaxanthin Private E-2

    Thanks for the response! Unfortunately things obviously were worse than I thought; my desktop spontaneously restarted last night and now hangs during startup as the MBR is failing to load.

    I'm unsure if I'll still need to repair the MBR errors once I've managed to get my computer booting into Windows again but I'll assume it'll be necessary, so to answer:

    1. No; I have two drives installed, but only one runs Windows as the sole OS
    2. Both drives are NTFS
    3. No, I installed the OS myself as standard
    4 & 5. No, and I've never used anything similar in the past
    6. I use an external but it's generally switched off, and I occasionally change the drive installed
    7. Yep, my data is backed up as a matter of course

    Thanks in advance!
     
    canthaxanthin, Aug 7, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now if you wish to continue and fix the malware - please do the following:
    • Run MBRCheck.exe
    • Wait until you see the following lines:
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
      • Options:
        [1] Dump the MBR of a physical disk to file.
        [2] Restore the MBR of a physical disk with a standard boot code.
        [3] Exit.
        Enter your choice:
    • Please push the 'Y' key and then press Enter
    • When the program asks you to Enter your choice: enter 2 to Rstore the MBR and press the Enter key
    • Now the program will ask you to "Enter the physical disk number to fix (0-99, -1 to cancel):"
      • Enter 0 and press the Enter key.
    • The program will show Available MBR codes as below
    • You need to select your version of Windows frrom the list. For example, enter 0 or 1 for XP or enter 3 for Vista.....etc. and then press Enter.
    • The program will prompt for confirmation. Type 'YES' and hit Enter.
    • Left click on the title bar (where program name and path is written). From menu chose Edit -> Select All
    • You will see all the text in the window get highlighted.
    • Hit the Enter key on your keyboard to copy all of the text into the clipboard.
    • Paste that text into Notepad, save it to your desktop as MBRfix.txt
    • Restart your PC.
    • Attach the MBRfix.txt file to your next message..
    Also tell me how things are working.

    Then continue on with the below and let me know how things are running.

    READ & RUN ME FIRST. Malware Removal Guide
     
    Kestrel13!, Aug 7, 2010
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    @ Kestrel13!, The user said the below so I expect that your fix cannot be run!
    @canthaxanthin, you will have to boot from your Windows XP CD and get into the Recovery Console and run fixmbr from the command prompt.
     
    chaslang, Aug 7, 2010
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds