Just Messed Up Everywhere :(

Hello Major Geeks. Thank God there's guys like you out there.
I stumbled upon this site and forum approximately 3 weeks ago in what was then a desperate attempt to resolve some pretty obnoxious malware issues - Ironically enough this has been my first experience with anything of the sort in the 25+ years I have been using computers (Commodore 64/Tandy TRS-80 days - such simple days then - but fairly useless also!) Guess without them though we couldn't have gotten here.
I had hoped (and actually believed) that my troubles were over as early on as the completion of the first two processes that you guys outline (SAS & Malwarebytes). I noticed an immediate difference even at that point - should've known better.
My initial awareness of such trouble came from what seemed like an overnight transition - literally. One day I was working with the typical efficiency, speed and stability I've come to appreciate, and the next day soon after booting up things were going haywire. In addition to what I imagine are typical symptoms (redirection on links, pop-up surveys, etc) I noticed a significant decrease in system performance and also experienced two lock-ups which resulted in my having to proceed with manual shut-downs. Additionally, all prior System Restore points had been wiped out. Again, I did not bother to post for help at that time as it seemed like things were going pretty smoothly after just two scans, considering the resulting malware that had been removed. Foolishly enough, I had not bothered to think it strange, even though I never actually was able to successfully run MGtools at the end. I decided that it was just simply a fluke between the software and my system. What seemed like sufficiently restored performance along with denial and the desire to just move on and put it in the past were prime motivators for me to leave you guys alone.
Well, here I am. This time I was able to complete all of the steps required as I decided to be extremely thorough. Additionally, I am submitting two RootRepeal logs as the first alerted me of its inability to read the boot sector on one particular drive, and required my going back to adjust the disk access level before executing a rerun. As of this moment I have once again regained what seems like a reasonable state of stability, but my fears are of what might actually still be lurking in my system. My system froze up at least a dozen times today. RootRepeal has identified what it believes to be an MBR Rootkit on my external WD Passport (HDD). Also, I have noticed in great length other little problems all over the place. For example, NO MATTER WHAT I HAVE TRIED (having researched and experimented at great length), msconfig continues to spit out the same message whenever I go near it - "An Access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes." Needless to say, I am the owner, the Administrator, and everything thereafter. Fortunately, as far as msconfig is concerned, even though I continue to receive these access denied errors , I am not actually denied access - it seems to allow the changes. It would be really nice however to figure out what the heck is going on. Every single search I've done on the matter results in its association with malware or corrupt files or the both. As of now I have executed every recommended procedure for the fix with no success. I am hoping to avoid a CD repair of the OS (if at all possible). Furthermore, it seems that in order to gain access or control over certain files I have to actually go in and 'add' myself as a user who has those permissions. On one final note, an inspection of the Event Viewer (local) in Component Services has revealed a huge list of errors and warnings, most of which I wouldn't even know where to begin as far as fixing is concerned. I can only imagine what else.
Well, I'll be waiting patiently for your prognosis (with fingers crossed). Thanks again for just being there and doing what you guys do. Hopefully I've been as thorough as possible. I will be sure not to attempt any further changes until I hear from you guys - Thanks. (WILL POST REMAINING TWO LOGS IMMEDIATELY FOLLOWING THREAD SUBMISSION)

 

additional logs

 

Hello Kestrel13!

Thank you for such a quick response. I am attaching everything you've requested.

Please note that at the end of the MBRCheck I was given options to Dump MBR to file, Restore MBR to standard boot code, or Exit. I chose to Exit without any action as that seemed to be closest thing to the intructions you gave me (those specific options were not addressed).

Okay - As with the original thread I will submit two posts here to include the 5 total logs requested.

Again Kestrel13!, thank you so much - I will keep a watch for your next post.

 

AND LAST BUT NOT LEAST - MGlogs.zip

 

Hello Again - For the most part everything seems pretty stable as of right now. Definitely a significant difference from how it was running before!

One thing Kestrel, I woke this morning to what I guess is known as the infamous BSOD?? The Blue Screen Of Death. I had the dump analyzed using a program called WhoCrashed and have attached it here for the heck of it.

Is this just irony that this has happened now or do you think that this could've somehow been related to the malware issue?

Also, do you have a recommendation for whatever was reported by MBRCheck regarding non-standard or infected MBR? I know there was an option for dump to file or restore with standard boot code.

Since the restart after the crash I double checked all USB controllers and everything seems (at least to me) to be in order. No conflicts are reported. I've been working on the system all day and no major problems so far, thankfully. Okay Kestrel - Let me know. Thank you again.

 

I sent a reply Kestrel but it said it was being submitted to moderators for approval???

 

I hear you Kestrel. I just want to make sure we're on the same page here. First off, I do have a Dell, but there is no option any longer on the system to go back to factory settings. I wiped that out about 3 years ago as I got tired of having to do multiple factory resets due to the computer having serious troubles right out of the box. At that time Dell was not helping me solve the problem at all. Ulimately, they went ahead and sent me a new computer, which still proved to be useless as they loaded it once again with the same garbage. Long story short - it was a gift from my mother who wanted to surprise me. She knows very little about computers, so she called Dell and in turn got taken advantage of by the sales rep, who sold her everything but the kitchen sink and stuffed it into the computer. As I said, major conflicts right out of the box and crashes within the first week that I had it - doing factory resets sometimes 2x per week. They weren't being very helpful but I finally convinced them to send me the actual Win XP Disk (as if they shouldn't send those automatically), from which I proceeded to do everything from scratch myself. I learned a huge amount in the process, and my computer has run perfectly ever since, that is up until now. Shame on me however for relying solely upon System Restore and not having done more formal backing up. After this I'll be doing clones from now on.
NOW, regarding the MBR. If I'm not mistaken Kestrel it seems that MBRCheck is showing my C: drive to be okay? (Windows XP MBR code detected):

Size Device Name MBR Status
--------------------------------------------
91 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
465 GB \\.\PhysicalDrive2 RE: Unknown MBR code
SHA1: CE7DBBBEE43059700485C7835F4E1ED6D2FADB1C

The 500GB drive I have (PhysicalDrve2) is a portable pocket sized external which I MAINLY use for media storage, plus some file backup. I don't get the MBR code issue because this drive in no way has anything bootable on it. I guess that's where there's some confusion? Or am I missing something otherwise? I do have an extensive amount of data on the drive which I would prefer not to lose, and I have a 250GB external drive on its way (should be here any day) for that purpose. So I'm thinking at this point that MBRCheck is actually referring to this external which never actually had a boot record on it (meaning what is it actually seeing after all)? Also, I had a MAC that I was sharing this drive with (found a program that allows MAC to read/write NTSF) and was constantly switching back and forth - could that be related to this perhaps? Like, stuff that the MAC had written to the drive? Anyway, just wanted to clarify all this before proceeding. If my C: drive is okay then I can pretty much happily deal with whatever else - that's the ONLY drive I boot from. If however the suggestion is being made that this potentially risky MBR restore needs to be done on that drive also, then I think it might be a good idea to do that backup first. Thank you very much for the tremendous help you've been so far. Let me know if I should proceed in the same way you requested after reviewing this reply - Jamie

 

Ok Kestrel - I did exactly as you requested. Attached is the MBRCheck log. Unfortunately we're still showing the same thing:

On my 91GB (C drive (Where Win XP in installed):
"Windows XP MBR code detected"

On my 465GB (G drive (Used only for file storage and access):
"RE: Unknown MBR code"
I'M ASSUMING THIS IS THE DRIVE THAT IT SAYS HAS NON-STANDARD OR INFECTED MBR??

Given the 3 options I chose to just EXIT once again as you haven't given me any instruction otherwise.

Thank you Kestrel - Let me know - Jamie

 

Sorry - Didn't know the colon after drive letters would turn into a smiley face.

 

Well I guess I was hoping you could tell me Tim. Just been following along here with the instructions I've been given so far and overall I have to say so far so good. So here's EXACTLY where I'm at:

Scan back a couple posts and I think it's pretty clearly laid out. I have 2 drives. The internal one in the computer itself (a Dell Inspiron E1405 laptop) is the ONLY one that I'm aware of that should have any sort of MBR on it, period. The other drive is a 500GB USB2 ultra portable Western Digital "passport" external hard drive, WHICH, straight out of the box I COMPLETELY formatted (NTFS) with one single huge partition for one purpose - to hold a ton of files (mostly media for that matter). So now, MBRCheck states this:

Size Device Name MBR Status
--------------------------------------------
91 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
465 GB \\.\PhysicalDrive2 RE: Unknown MBR code
SHA1: CE7DBBBEE43059700485C7835F4E1ED6D2FADB1C


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 3

Done!

SOOOOO -Any reason for concern here?? Non-standard or infected MBR on my external?? As far as I know there shouldn't be an MBR on that drive at all as I never intended on making it a bootable drive (or is that just automatic after formatting NTFS?), so I'm a little confused there.

System performance and overall stability have improved by about 95% (from what I can SEE, that is). DO YOU HAVE ANY RECOMMENDATIONS FOR WHAT CLEARLY SEEMS TO ME TO BE THE RESIDUE FROM THIS ATTACK? (OTHER THAN THE COUNTLESS HOURS ALREADY SPENT RESEARCHING AND EXECUTING MULTITUDES OF SUGGESTED SOLUTIONS WITH ZERO SUCCESS) For example:
-error message from msconfig telling me access denied, to log in as ADMIN when (silly me) I thought I already was! At what point did I become a guest on my own system?
-The infamous BSOD as of yesterday morning. Hey, there's a first time for everything, right?

I don't know, my brain is fried right now.
I VERY MUCH WANTED TO BE A COMPUTER GENIUS AT ONE TIME AND I JUST CAN'T KEEP UP WITH IT ANYMORE. BEFORE THIS MY COMPUTER WAS LITERALLY PERFECT FOR ALMOST 3 SOLID YEARS. I'VE LEARNED ENOUGH TO HANDLE MY OWN WHICH I'VE DONE QUITE NICELY UP TO THIS IRRITATING MOMENT IN TIME. THIS MARKS A PERIOD HENCEFORTH FROM WHICH I WILL ALWAYS MAINTAIN A CLONE OF THAT PERFECT CONDITION - THIS I WILL ULTIMATELY ACHIEVE ONE WAY OR ANOTHER ONCE AGAIN. THERE IS NO DELL FACTORY RESET ON THIS SYSTEM ANYMORE - THE FACTORY SETTINGS TOTALLY SUCKED, FORCING ME TO FIGURE IT ALL OUT ON MY OWN. BY THE TIME I WAS DONE I HAD IT RUNNING TEN TIMES BETTER THAN THE OVERWEIGHT, BLOATED BOX OF RUBBISH THAT WAS SENT TO ME BY DELL. STILL, SHOULD'VE HAD A GOOD CLONE AND INSTEAD FELT LIKE SYSTEM RESTORE WAS GOOD ENOUGH. FOOLISH OF ME NOT TO HAVE KNOWN BETTER.

BY THE WAY - THANK YOU GUYS SINCERELY AND I MEAN THAT!! I COULD BE A LOT WORSE OFF IF IT WEREN'T FOR YOUR VOLUNTARY SERVICES.

Anything else you guys see in any logs I've submitted to you that should cause any concern?

 

Okay guys - this seems pretty harmless to me. Dumped the MBR of external to file (attached).

It appears that the thing is just looking for an OS that isn't there, which tells me that this "non-standard or infected" MBR has probably been sitting there since the day I formatted it NTFS.

Any other takes? Seems like we're looking pretty good?

 

Thank you again Kestrel13! and Tim