ken545,
Very happy to report that the offline dump of my infected MBR was successful. Finally! Feels good to be making some progress. Attached is the mbr.zip for your review. (Sent from uninfected machine.)
Many thanks!!
Jess
Printable View
ken545,
Very happy to report that the offline dump of my infected MBR was successful. Finally! Feels good to be making some progress. Attached is the mbr.zip for your review. (Sent from uninfected machine.)
Many thanks!!
Jess
Jess,
Just looking at the dump file now, it basically looks ok , I do see a hidden partition but that could have been put there by your manufacturer. This looks like a Dell computer
I have sent that dump file up to VirusTotal to be analysed and it came back as ok.
I want to have someone else take another look, be back in a bit
ken545,
Yes, it is a Dell computer.
Thanks for all your efforts on this unusual problem.
Jess
Jess,
This is what we are up against, malware has installed an infected hidden partition within your Master Boot Record and set that partition as active so everytime you boot up your system it boots from the infected partition and the malware is activated.
aswMBR has been updated to remove the rogue partition, lets give it more more shot , hang on to your usb drive with xPud as if aswMBR wont run than we will need it, first drag aswMBR that you have on your desktop to the trash and download a fresh new copy, when you run it let it update if it asks
Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png
ken545,
aswMBR.exe did not run. It did nothing. (I had made sure all monitoring software was turn off.) Double-clicked a second time, nothing.
Just to make sure, I repeated the procedure with trashing the old, downloading a fresh copy of the new, made sure the monitoring software was off and nothing again.
Seems this malware really has control over my machine.
What is the next step in ousting this hostile takeover?
Thanks much,
Jess
Jess,
Go to Start > Control Panel> Admistrative Tools> Computer Management > Disk Management, expand the picture , then press ALT. . . .PrtScr ( Print screen ) and paste it into a picture editor ( Paint would do fine ) name the file DiskMange and save the file to your desktop and then attach it to your next reply
ken545,
Here is the screen print of the disk management.
Thanks,
Jess
You may want to print this out so you can follow along.
- Download tdl_fix.sh and save it to the xPUD flash drive.
- Boot into xPUD then click the File tab.
- Press File
- Expand mnt
- Click on the folder under mnt that represents your USB drive (sdb1 ?)
- You should see the tdl_fix.sh file in the main window.
- Select Tool from the Menu
- Choose Open Terminal
- Type bash tdl_fix.sh then press Enter.
- Read the warning then type y and press Enter to continue.
- Type sda then press Enter when prompted.
- You will be shown a list of partitions to choose marking active.
- Type 2 then press Enter.
- If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.
- When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
- The script will complete and prompt you to reboot the computer.
- Close the Terminal window and restart back into Windows.
- Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.
Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.
bash tdl_fix.sh -restore
Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
This is a backup of the original mbr and will restore it to it's current state.
ken545,
The program worked on the first attempt. The first time through it came back with "Does this look correct?" for the partition. It quickly completed with no issues. I rebooted normally into Windows. The machine is not longer running sluggish. I didn't realize how slow it had become. (Seems like I just upgraded!) I tried the dreaded IE search for "system restore" which was causing the original redirect. It worked!! I was able to navigate through the search results and back with no problems. I also tried other similar "restore" searches with no issues. It seems to be working as it should be.
Here is the txt file from the program run.
Is the machine now clean? Do you know what are the security concerns and ramifications from this malware would be?
I am deeply grateful for your assistance with this problem. I know it is not easy trying to debug from remote control.
Jess :D:
One more step Jess, what we have done was to set the legit partition as active but the rogue partition is still there, just run this and it will remove the bad partition.
- Boot into xPUD then click the File tab.
- Press File
- Expand mnt
- Click on the folder under mnt that represents your USB drive (sdb1 ?)
- You should see the tdl_fix.sh file in the main window.
- Select Tool from the Menu
- Choose Open Terminal
- Type bash tdl_fix.sh -delete then press Enter.
- ** Make sure to leave a space to either side of tdl_fix.sh in the command.
- You should be notified of a hidden partition found and prompted to delete it.
- Type y then press Enter.
- The script will complete and prompt you to reboot the computer.
- Close the Terminal window and restart back into Windows.
- Post the contents of the tdl_delete.txt file that was created on your flash drive.
Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.
bash tdl_fix.sh -restore
Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Ok the procedure then restart when complete.
Then go to Disk Management once more and attach a new screenshot