Possible MBR Virus? Computer freezes and beeps

Which OS did RootRepeal detect an mbr rootkit on?

Whichever one it was then log into it and run ALL of the requested scans, in order, including SAS, MBAM, (attach the log from RootRepeal) Combofix and MGTools. Attach logs from each.

 

Scroll down to Error Message Type 2 to address this.

using MGTools

Why did you not run SUPERantispyware?

1. Please go to Add/Remove programs and uninstall the following software:

• Java 2 Runtime Environment, SE v1.4.2_03
• Java(TM) 6 Update 17
• Java(TM) 6 Update 3
• Java(TM) 6 Update 5
• Java(TM) 6 Update 7

2. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

Folder::
C:\Documents and Settings\HelpAssistant.TIM.000
C:\Documents and Settings\HelpAssistant.TIM
C:\Documents and Settings\HelpAssistant
c:\documents and settings\Tim Gonzales\Local Settings\Application Data\pcausk

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


3. Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

4. Now download and run SUPERAntispyware as per the instructions in the Read & Run Me First Guide.

5. Attach the log from doing so in your next reply.

6. Now reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

7. You did not agree to the Trend Micro HJT license when you first ran MGTools.exe. (There is a bug and you will have to click "accept" twice!) So let's try again:

8. Double click the C:\MGtools.exe to run it, this time round agreeing to the TM HJT license.

9. Attach the C:\Mglogs.zip into your next reply, as well as the log from running combofix, TDSSKiller and SAS.

10. How is your computer behaving now?

 

Just attach the C:\Mglogs.zip anyway into your next reply please.

 

1. Run this batch file:

Open NOTEPAD and copy/paste the text in the codebox below into it. Do not include Code

• Save this as Helpass.bat Choose to "Save type as - All Files" and save it to your desktop.
• It should look like this:
  http://farm3.static.flickr.com/2679/4407729362_87d05e106a_o.gif

• Double click the Helpass.bat and post the log it produces.

2. Next run this:

Profiles.

Please download Profiles.exe by Noahdfear and save it to your desktop.

• Double click Profiles.exe to run the tool
• Notead will open - Post the contents in your next reply.

3. Then run this.


Download HelpAsst_mebroot_fix.exe by noahdfear and save it to your desktop.

• Double click HelpAsst_mebroot_fix.exe to run the tool.
• When the tool completes it will inform you HelpAssistant was successfully removed, or it may require a reboot

Whether the tool requires a reboot or not go to Start > Run and copy/paste the following into the run box (Do Not include code: ) If the tool does need a reboot, do this before rebooting

4. Now reboot.

5. Open NOTEPAD and copy/paste the text in the codebox below into it. Do not include Code.

• Save this as MBRlook.bat Choose to "Save type as - All Files" and save it to your desktop.
• It should look like this:
• http://farm3.static.flickr.com/2679/4407729362_87d05e106a_o.gif
• Double click the MBRlook.bat and post the log it produces.

6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the logs from running Helpass.bat, profiles.exe & MBRlook.bat.


7. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Not forgotton you. Just figuring out what move to make next

 

Please download the latest version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one. Double click it and run it. After running it:

• With Windows Explorer, navigate to the C:\MGtools folder and double click on mbrfix.bat ( If not sure how to use Windows Explorer, you can optionally click Start > Run and enter C:\MGtools\mbrfix.bat into the run box and click OK. ) This will run quickly flashing a black screen in front of you too fast to read.
• NOW REBOOT!

After reboot run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the new C:\MGlogs.zip file

Make sure you tell me how things are working now!

 

This error message was explaing in the Using MGtools link in the cleaning procedure. You should run the given fix.



However more important is that you are still infected so let's try the fix with a slightly different method. Let's download one of the tools again to be sure we have the correct version.

Please download HelpAsst_mebroot_fix.exe by noahdfear and save it to your Desktop.

• Double click HelpAsst_mebroot_fix.exe to run the tool.
• When the tool completes it will inform you HelpAssistant was successfully removed, or it may require a reboot. DO NOT reboot at this point if it tells you this. Do the below first.
• With Windows Explorer, navigate to the C:\MGtools folder and double click on mbrfix.bat ( If not sure how to use Windows Explorer, you can optionally click Start > Run and enter C:\MGtools\mbrfix.bat into the run box and click OK. ) This will run quickly flashing a black screen in front of you too fast to read.
• NOW REBOOT IMMEDIATELY!

After reboot, delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp

C:\Documents and Settings\Tim Gonzales\Local Settings\temp

• Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the new C:\MGlogs.zip file

Make sure you tell me how things are working now!

 

Looks like the HelpAsst_mebroot_fix is not working for you. Do you have your Windows XP boot CD? You will need it to boot to the Recovery Console where you will need to run the fixmbr command. So if you have your CD, continue with the below.

Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

You can read the below to help you do this:

http://support.microsoft.com/kb/307654


After running the fixmbr command and boot back to normal mode, continue with the below. Don't bother doing any of the below until you have run fixmbr as the below will be a waste of time until fixmbr has run.



Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Do not use MSconfig. Just use Autoruns like mentioned in the READ & RUN ME and like you are already doing.

This is not a malware problem, it appears that you have added multiple boot partitions into your boot.ini file. Just edit your boot.ini file and remove the last 2. Make a backup first. And also note that the boot.ini file is normally read-only so you will have to change the permissions first.


Let's continue with your MBR infection cleanup. We have some more to do.

First please delete the C:\Avenger and C:\QooBox folders which are getting large due to the infection being removed.

Now download and run the newest MGtools which was just updated. Just download and run it. I don't want you to attach a log right now. We just need the new program installed before we can do the below.

Now run the C:\MGtools\hafix.bat file ( note the name is hafix.bat this time not mbrfix.bat ) by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). When it finishes, it will pause, take note of any error message before hitting a key and then hit any key to close the command prompt window.

Now REBOOT your PC.

After reboot run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the new C:\MGlogs.zip file

Make sure you tell me how things are working now!

 

Darn!!! I extremely sorry about this! :-o Not sure what went wrong but this automated fix some how lost information and deleted the wrong folders instead of the HelpAssistant user account only. I'm try to see if there is any file recover software that could possibly be used to help recover the deleted info. Not sure if this will work. In the meantime it would be best not to install/run any addition sofware on the PC ( if that is even possible now) since it would make recovery more difficult.I extremely sorry about this!

 

Thanks for your understanding!

I still feel really bad about this anyway. It is not something that happens that often. In fact something like this has never happened. I already found the bug and it was such a simple thing which caused such a big problem.

Do you mean System Restore? If so, I'm not sure since it does not save everything. It is not meant to be a full backup program. It really is primarily a back up Windows OS files and folders.

Basically it looks like things under C:\Documents and Settings

If you can install anything, see if the below will run:

Recuva (Slim)

Choose to recovery all the possible File types and then on the File location form select the option In a specific location and then click the Browse button and select C:\Documents and Settings

See if this can recover anything.

 

Thanks again for understanding.

Well at least that is good news!

Excellent!

Back in an earlier message you said the below:

To which I said to remove the last 2 lines from your boot.ini file. You never did remove those lines according to the follow up logs you had attached. Perhaps you really did not want to remove them since now you are saying you had other boot partitions. Maybe to get them back, you need edit your current boot.ini file to put back in what you used to have.

You previous boot.ini file looked like below:

 

Chaslang has been without power since Saturday and can not access the web. If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. If you are running Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   
   • How to Protect yourself from malware!

 

Good to know. Safe surfing.