[xor0]

Yes it redirects in IE too.

mbr is waiting for input...


MBRCheck, version 1.1.1
© 2010, AD

\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 MBR Code Faked!


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

[Advertisements]

Please do the following:

When prompted, Enter 'Y' and hit ENTER for more options

When you see: "Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit):"

Enter 0 to dump the MBR to the physical disk.

Name the dumped file as dump.dat

Enter -1 to exit

A log file named "dump.dat" will be located in the same folder as MBRCheck was saved, please zip it up and attach in your next reply.

[SweetTech]

Please do the following:

When prompted, Enter 'Y' and hit ENTER for more options

When you see: "Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit):"

Enter 0 to dump the MBR to the physical disk.

Name the dumped file as dump.dat

Enter -1 to exit

A log file named "dump.dat" will be located in the same folder as MBRCheck was saved, please zip it up and attach in your next reply.

[xor0]

OK here it is

Attached Files

•  dump.zip   570bytes   140 downloads

[SweetTech]

Hello,

Please do me a favor and delete the current copy of MBRCheck that you have on your desktop, and download this version of MBRCheck.

• Double click to run it
• It will prompt you with some text
• Right click on title bar (where program name and path is written)
• From menu chose Edit -> Select All
• Now just click Enter key on keyboard to copy selected text
• Now paste that text here for me.

[xor0]

MBRCheck, version 1.2.2
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 3DD27C7EE9B2D8B2CB511843C79460E5DB3CA995


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

[SweetTech]

I am looking into something, and am awaiting a response from a colleague of mine on something in regards to your log. As soon as I speak with them, I'll post back with further instructions. I should hear from them tomorrow some time.

[xor0]

OK thanks I'll be waiting

[SweetTech]

I apologize in the delay in getting back to you.

I'd like for you to reset the settings for Firefox, as there seems to be a few things in your logs that don't look right to me.


Reset Firefox

• Go to Start -> All Programs -> Mozilla Firefox ...use the "Mozilla Firefox (Safe Mode)", shortcut.
  
  • If this shortcut is missing, use:
    "Start -> Run" and enter one of the following:
    Using Vista or Windows 7: use the Start Search box then enter one of the following in the text field:
    firefox -safe-mode .... OR
    "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
    You may need to alter the above path, if you installed Firefox to a different location.
    Press the OK...button.
  
  A Firefox Safe Mode window will open with Safe Mode options. (Refer to image below.)
  
• Select "Reset all user preferences to Firefox defaults"
• Press the "Make Changes and Restart"...button.
  Restarts Firefox...normally, using selected options, these changes ARE permanent. Any user customizations will need to be reapplied.
• After Firefox restarts click on "Check for Updates".

NEXT:



What types of sites are you being redirected to when it happens?

[xor0]

OK firefox reset and updated to latest version

Redirects still happening, also with IE

most redirect pages look like auto-generated MFA sites, that is, a search is displayed with the terms I entered and a bunch of adsense-type links as results. The redirects all seem to go through nnkclwv.com.

At random times a new tab opens in firefox with a prompt to install a registry utility.

[SweetTech]

Hello,

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)





When you get to the above screen, take note of the number that references your operating system.
If it's '1' like the picture above, type 1 and press Enter




Next type FIXMBR



If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

Let me know how that goes.


Also run a new scan with MBRCheck and post the log. I'd like for you to run it normally (double clicking on it and letting it run).

Post the log from it in your next reply, as well as an update on how things are currently running.

[xor0]

When I select the recovery console it says "Starting windows recovery console..."

A line with white stripes is filled in with a solid line, then nothing happens. No hard drive access, nothing.
Like it did with CF.

[SweetTech]

Do you have your Windows XP disc?

[xor0]

yes

[SweetTech]

Steps to perform on the problem machine:

• Place your Windows XP Installation CD, and reboot.
  You should see this:
  
  If you don't see the above, try pressing the F10 or F12 keys during boot and selecting the CDRom device from the list.
  If that doesn't work, enter BIOS Setup by pressing the F1, F2, F10 or Del key during boot and modifying the
  Boot Order or Boot Priority to make the CD/DVD first boot device.
  
• Press any key to start Windows Setup (Don't worry.. we're not actually using setup at this point)
• Wait a while for setup to start, until you see the following screen, then press the R key.
  
• Wait until you see this screen, and enter the number of your main installation. (Typically 1 for C:\Windows)
  
• Press Enter.
• If prompted to do so, enter your Administrator password. If you don't have one, leave it blank and press enter.
• From the command prompt, enter: FIXMBR
• When you get to the above screen, take note of the number that references your operating system.
  If it's '1' like the picture above, type 1 and press Enter
  
  
  
• Next type FIXMBR
  
  
  
• If it ask if you're sure you want to write a new MBR, answer 'Y'
  
• Then type EXIT to reboot the machine.

Let me know how that goes.

[xor0]

Bingo! No more redirects in Firefox or IE, MSE can update now, HitmanPro no longer shows the rootkit warning


MBRCheck, version 1.2.2
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
Press ENTER to exit...