Invisble IE running, bootkit log.

Welcome to Major Geeks!



Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now run MGtools per the below instructions and attach the requested MGlogs.zip file

• Using MGtools

Also address the below Warning/Questions?

WARNING: Do you have all important data backed up? You really should do this before continuing on to the next steps I will be posting after I see the above log since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.


Also note if you have a Dell PC which uses a non-standard MBR ( or another manufacturer's who does similar to Dell) , fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not continue but you risk serious problems leaving this infection in place and thus your only other option would be to try using the Dell Restore Utility to return a factory ship state which will remove everything you additional you have put onto the PC.

 

Not sure what you mean by "restore point" if you are really referring to Windows System Restore, that is not a backup and you need to back up your own important data properly. System Restore does not do this.

Most Dells do!

 

I cannot comment since you did not say what program you are talking about.




Now if you wish to continue and fix the malware - please do the following:

• Run MBRCheck.exe
• Wait until you see the following lines:
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.
    Enter your choice:

• Please push the 'Y' key and then press Enter
• When the program asks you to Enter your choice: enter 2 to Rstore the MBR and press the Enter key
• Now the program will ask you to "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
• The program will show Available MBR codes as below

• You need to select your version of Windows frrom the list. For example, enter 0 or 1 for XP or enter 3 for Vista.....etc. and then press Enter.
• The program will prompt for confirmation. Type 'YES' and hit Enter.
• Left click on the title bar (where program name and path is written). From menu chose Edit -> Select All
• You will see all the text in the window get highlighted.
• Hit the Enter key on your keyboard to copy all of the text into the clipboard.
• Paste that text into Notepad, save it to your desktop as MBRfix.txt
• Restart your PC.
• Attach the MBRfix.txt file to your next message..

Then since you have a second physical drive you need to repeat the above but replace the

• Enter 0 and press the Enter key.

With the below for the second drive

• Enter 1 and press the Enter key.