malware backdoor

You need to attach the 5 requested logs so that we can try to help you. Make sure you look for the MGlogs.zip file as something may have been created anyway.

 

You have a Master Boot Record (MBR) infection. Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.

The belwo is not a fix. It is just more info that we need before giving you the fix.

• Download bootkit_remover.rar
• Click the underlined DOWNLOAD text to download the file and save it to your Desktop.
• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
• After extracing remover.exe to your Desktop, double click the remover.exe file to run the program.
• Attach or post inline here, the output from remover.exe

 

You're welcome.


Now - please do the following:

• Click Start, Run then copy and paste the below into the Run box and click OK.

"%userprofile%\Desktop\remover.exe" fix \\.\PhysicalDrive0

• Now reboot your PC and after reboot continue with the below instructions.
• Disable System Restore on all drives.
• Look for the below folder and if if it sill exists, delete it.
  • C:\System Volume Information\Microsoft
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
  
  
  
  Then attach the below logs:
  • C:\MGlogs.zip

Make sure you tell me how things are working now!

 

That error and the fix was covered in the READ & RUN ME where it gave you the Using MGtools link.

The real indicator of the problem was not IE running. It was the executable files running out of the System Volume Information folder. Previously, you had the below two processes running:

C:\System Volume Information\Microsoft\services.exe
C:\System Volume Information\Microsoft\smss.exe

Now they are no longer running. Both services.exe and smss.exe are valid system file names, but the valid ones do not run from the above location. The valid ones only run from the C:\Windows\system32 folder. These were the key indicator of your infection.

 

It would be a normal configuration to not be allow to access the C:\System Volume Information folder while System Restore is enable. This is a protected system folder. After disabling system restore, all restore points are deleted but the infection put their files in non-restore point folders (i.e., they put them in a Microsoft folder to confuse you ). Thus the Microsoft folder was not deleted and you had to do it manually. Also the infection changed permissions on the folder as you have notice and fixed.

You're logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. Now you need to re-enable System Restore.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Did you extract the files into the system32 folder or to somewhere else. They must be saved to the C:\Windows\system32 folder inorder for them to have any effect.

No I had enough info anyway.

No formal process but some of us can accept optional donations via PayPal.

You're welcome.