Someone Hijack MBR. Weird Problem RootKit?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by EcoGeek, Aug 6, 2011.

  1. EcoGeek

    EcoGeek Private E-2

    I've been having problems with outlook wanting to find a server on the net when I open an email from a particular person. It opens my browser trying to redirect me some where on the internet and I get an error message file:///C:/Users/Hannspree/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/%7B66F5BCEB-E3D3-4D99-8B89-D6DAD708FCD4%7D/%7B8EF13200-C76A-4C10-B95B-A6280C9BB820%7D.html


    I also notice huge cpu usage when starting up windows on one of the processes with an unknown account logging in.

    I ran Mbam, SAS, TDSS, Gmer, Spohia, Avira, nothing every thing is clean. However MBR check found something strange.

    What is more strange is the fact is that I just happen to click on the C Drive and click on tools and then defrag, it shows a strange volume or disk. I have no idea where or how that disk got on my computer. It looks like a redirect to a server somewhere.
    \\?\Volume{c0a6d66c-fee7-11df-8ee8-806e6f6e6963}\

    Avira, Mbam, SAS, Spyware Blaster, Spybot, Windows Defender, WinPatrol were active in real time guarding my system Windows 7 32 bit with firewall enabled.
    Hijack This shows some redirects

    Any help or suggestions as to what is going on with my system would be appreciated.
     

    Attached Files:

    EcoGeek, Aug 6, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do you have your Win7 install disc? If not, you can create a Recovery Environment disc from here:
    http://digiex.net/downloads/downloa.../2660-windows-7-64-bit-x64-recovery-disc.html

    http://digiex.net/downloads/downloa.../2659-windows-7-32-bit-x86-recovery-disc.html

    Depending on which version you have ( ie: 64 or 32 bit system).
    You can use ImageBurn to create the disc.

    Once in the Recovery environment, go to the command prompt and type:

    Bootrec.exe /fixmbr

    Then exit and remove the disc. Reboot to normal mode and re-run MBRCHeck and attach the log..

    Then please download the latest version of MGtools and save it to your root folder. Run the exe and attach the C:\MGLogs.zip.
     
    TimW, Aug 6, 2011
    #2
  3. EcoGeek

    EcoGeek Private E-2

    Ok, this is kind o f wacky. I created the recovery disk. Thanks for the information. When I boot off the recovery disk it ask me do you want windows to repair partition or boot record forget which. I said No. I was given a few more options which I said No. finally reached CMD Prompt.

    There is no bootsec.exe on the recovery disk. the command given does not work.

    After googling, I found out there is a bootsect.exe on the recovery disk but it gives different options and no /fixmbr.

    bootsect.exe {/help | /nt52 | /nt60} {SYS | ALL | <DriveLetter:>} [/force] /mbr

    So I don't what to do next or what option to use?

    Attached DDS and MGtools before fixing MBR
     

    Attached Files:

    EcoGeek, Aug 6, 2011
    #3
  4. EcoGeek

    EcoGeek Private E-2

    Duh, a bit of dyslexia and late night. Finally saw my error with transposing letters.
    Ok, ran bootrec /fixmbr and attached latest
    Ran MGtools and attach latest

    Thanks for helping.
     

    Attached Files:

    Last edited: Aug 7, 2011
    EcoGeek, Aug 7, 2011
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please tell me how things are running now. I also want you to use windows explorer to find and right click and tell me what info is there under properties for these two files:
    C:\Windows\System32\YZZPPSWWDDHXRWZV
    C:\Windows\System32\IPAUSPQVB

    Then run CCleaner and make sure you empty out this folder:
    C:\USERS\HANNSP~1\LOCALS~1\TEMP\
     
    TimW, Aug 7, 2011
    #5
  6. EcoGeek

    EcoGeek Private E-2

    The computer is running faster and I don't see the svchost process using up 50% of the CPU after booting up. I ran malwarebytes and SAS on those two files and they check out ok. The install date was just the other day so it was after my problem occurred. The tabs state general, security, detail and previous versions.

    Unfortunately, Clicking on C drive, properties, tools, defrag stills shows the drive or volume. Computer management does not show this drive or volume.

    It's though someone or a process took over my machine as a zombie and was sending out spam mail as this was happening when I clicked on email in Outlook which caused an error message and launched firefox.

    Thanks for your help.
     

    Attached Files:

    EcoGeek, Aug 7, 2011
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know. Any other system issues should be addressed in the software forum. Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0

    Help Support MajorGeeks
    Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

    Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

    MajorGeeks on FaceBook
     
    TimW, Aug 7, 2011
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds