Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Message in webpage" popups and audio spam


  • This topic is locked This topic is locked
8 replies to this topic

#1 dicktater

dicktater

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 09 August 2010 - 10:10 PM

Unable to stop/remove "Message in webpage" popups, audio spam, and cannot replace bad MBR code. You assistance with this amtter will be greatly appreciated!

Out of necessity, making this post using Opera run from Hiren's boot CD ver. 10.6.

OS = XP Home sp-3
Core Duo
Oodles of RAM

One week ago, the machine began exhibiting classic erratic behavior indicative of virus and/or spyware infection. Antivirus and antimalware applications were updated. System scanned and detected malwares were cleaned/removed, restoring most stability. However, shortly after running IE (and Firefox?), "Message in webpage" popups begin to appear and system stability starts to degrade. Rootkit infection was then suspected.

Installed applications used to detect and clean malware:
Avast 5.0
Malwarebytes
Spybot
Superantispyware (run from Hiren's boot CD ver. 10.6)
Spywareblaster
FSecure Blacklight
Sophos Anti-Rootkit
Ccleaner

Additional utilities used:
Disk Cleanup
Disk Defragmenter
chkdsk

"Message in webpage" popups (but, no audio spam) continues to ramdonly occur. Since popups seem to only occur some time after running a browser instance, browser use on this machine is being avoided until pre-forum post preparation is complete.
Previous scans with GMER have shown several IEXPLORER.EXE hidden processes.

MBRcheck reported "Known-bad MBR code detected (Whistler / Black Internet)!" However, despite MBR restoration with standard code, Known-bad MBR code is still detected by MBRcheck.

Combofix has NOT been run on this machine.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Betsy at 21:53:02.68 on Mon 08/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3546.3078 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r215959\STacSV.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
svchost.exe 4
svchost.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe 4
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hamachi\hamachi.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Betsy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.live.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe
StartupFolder: c:\docume~1\betsy\startm~1\programs\startup\hamachi.lnk - c:\program files\hamachi\hamachi.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251807749812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\betsy\applic~1\mozilla\firefox\profiles\v659xl1n.default\
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-7 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-7 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-7 40384]
R2 HamachiService;Hamachi Service;c:\program files\hamachi\hamachi.exe [2009-9-2 625952]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-8-16 113024]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-7 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-7 40384]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-8-16 160256]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-9 135664]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [2009-8-16 1656960]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\11.tmp --> c:\windows\system32\11.tmp [?]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-4-25 14336]

=============== Created Last 30 ================

2010-08-09 23:37:21 0 d-----w- C:\ccleaner-backups
2010-08-09 16:37:11 0 ----a-w- c:\documents and settings\betsy\defogger_reenable
2010-08-09 16:18:32 0 d-----w- c:\program files\Unlocker
2010-08-09 16:14:13 0 d-----w- c:\program files\CCleaner
2010-08-09 16:11:17 0 d-----w- c:\program files\Turbo Navigator
2010-08-08 13:04:03 0 d-----w- c:\program files\WiXkill
2010-08-08 03:26:26 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-07 22:54:09 6144 ------w- c:\windows\system32\2.tmp
2010-08-07 22:54:02 6144 ------w- c:\windows\system32\1.tmp
2010-08-07 22:37:44 0 d-----w- c:\documents and settings\betsy\log
2010-08-07 22:37:19 0 d-----w- c:\program files\Sophos
2010-08-07 19:44:10 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-08-07 19:33:40 0 d-----w- c:\program files\ProcessExplorer
2010-08-07 18:19:13 0 d-----w- c:\windows\system32\appmgmt
2010-08-07 17:54:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-07 17:54:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-07 17:54:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-07 17:53:09 0 d-----w- c:\program files\SpywareBlaster
2010-08-07 17:18:56 0 d-----w- c:\windows\system32\wbem\Repository
2010-08-07 10:18:25 0 d-----w- c:\windows\pss
2010-08-01 17:27:56 38848 ----a-w- c:\windows\avastSS.scr
2010-08-01 17:14:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-26 14:05:48 0 d-----w- c:\program files\Windows Media Connect 2
2010-07-26 14:04:46 0 d-----w- c:\windows\system32\LogFiles
2010-07-14 23:20:48 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================


============= FINISH: 21:53:31.95 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:37 PM

Posted 10 August 2010 - 03:01 PM

Good evening. smile.gif

What you have is an infected MBR, if you hadn't already noticed, which unfortunately MBRCheck isn't always successful at dealing with, but the developer is in the process of working out why.
If your PC is unusable and you have the Windows installation disc you can boot to the Recovery Console and try to repair the MBR this way, or you can use MBRWizard on Hirun's boot disc.
The problem with either approach is that your machine may not have a standard MBR on, and replacing your existing infected MBR with one may "break" some Manufacturer's toys - a Factory Restore boot options for example.

If your machine only has one partition on it, then you should be OK with a simple repair and i'll walk you through either option if you tell me which you prefer to work with.
If it has more than one, unless you have partitioned the disc yourself, then you may be better contacting the manufacturer and asking if they have the wherewithal to replace the MBR with the custom one they may be using.
If you are unsure, let me know the make and model of the machine and i'll see what I can find out.

So long, and thanks for all the fish.

 

 


#3 dicktater

dicktater
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 10 August 2010 - 08:54 PM

Hi Noviciate,

The machine is a Dell Inspiron 1545. It has thre partitions, one of which is a factory system restore toy. Access to this partition is by F11 at boot. The machine is functional at the moment but, I don't want to lose access to this partition. So, I'd rather not bork the MBR if at all possible. Windows is loaded and I'm running Opera portable off of of the Hiren's boot CD in a feeble attempt to avoid waking the gremlin with IE or Firefox.

------------------------------------------------------------------------------
# mbrwiz /list

Disk: 0 MBR/GPT: None
Size: 149.05GB CHS: 19457 255 63
Sectors: 312581808 Disk Signature: 0xA42D04A3
Partitions: 3 Partition Order: 1 2 3
Media Type: Fixed Interface: IDE
Description: SAMSUNG HM160HI

Pos Idx Type/Name Size Boot Hide Start Sector Total Sectors DL Vol Label

1 1 DE-Dell 39M No No 63 80,262 <None>
2 2 07-NTFS 139G Yes No 81,920 292,017,832 C: OS
3 3 DB-C.DOS 9.8G No No 292,109,895 20,466,810 <None>
------------------------------------------------------------------------------

1 = Dell Diagnostics?
2 = Windows
3 = System Recovery?

Dell Chat is on break. I've tried speaking with Dell tech support to clarify the ramifications of using fixmbr but, found verbal communication with two of India's finest to be an exercise in futility. The second one put me on hold and never returned. The elevator music stopped, too. After a long period of silence, the line went dead. Have you heard, has there been another false flag terror attack in India? An attack abroad against outsourced American labor could mean war, you know. whistling.gif

Maybe you can find out more than I have about the custom MBR before we proceed with what could result in a less than desirable outcome.

Dell Inspiron 1545

If you need the service tag or express service code, let me know. I'd rather not post it though.

Thanks!

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:37 PM

Posted 11 August 2010 - 03:19 PM

Good evening. smile.gif

I love a healthy bitterness about call centres having spent some time engaged in the exercise in futility that contacting one is myself. wacko.gif

If you don't want to bork the Factory Restore ability then your options are limited i'm afraid. There are tools that are able to write any MBR you choose to the appropriate part of your hard drive, but first you need to get hold of one. If you can get any sense out of Dell and get them to send you a copy of the uninfected MBR then you should be able to repair the PC leaving it as good as new.
Please understand however that as the MBR is such a critical part of your system that if anything went wrong with the process of manipulating it in any way, and you know how touchy PCs can be, that you could end up with an expensive paperweight. While that is unlikely, the possibility does exist and so I mention it because I think you should be aware.

So long, and thanks for all the fish.

 

 


#5 dicktater

dicktater
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 11 August 2010 - 04:12 PM

QUOTE(Noviciate @ Aug 11 2010, 04:19 PM) View Post
Please understand however that as the MBR is such a critical part of your system that if anything went wrong with the process of manipulating it in any way, and you know how touchy PCs can be, that you could end up with an expensive paperweight. While that is unlikely, the possibility does exist and so I mention it because I think you should be aware.

Thanks Noviciate! I appreciate your warning but, aren't you exaggerating just a wee little bit? An expensive paperweight? We're talking about the hard drive, not the bios. If the MBR were to get totally borked that prevented booting from the Windows partition, wouldn't a clean reinstallation of Windows to that same hard drive still result in a working machine, minus a recovery partition? I mean that to be a rhetorical question. However, if I am showing some level of ignorance, please enlighten me if I'm appear to be sufferng from a cranial-rectal inversion. axesmiley.png

What I do hope to accomplish is erradication of the gremlin without having to do a clean install. Saving the recovery partition would be nice but. it wouldn't be the end of the world to lose it. In addition, I hope that this continues to be a good learning exercise in the event I have to play Whack-A-Gremlin again later. Something tells me that battling rootkits is only going to get worse, not better.

I'll try Dell again right now, see if I can make better headway, and report back as quickly as possible. Will you be available later this day? I'd like to put this issue to bed as soon as possible.

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:37 PM

Posted 11 August 2010 - 04:35 PM

Assuming you have a Windows installation disc and a bit of PC smarts, the only risk is to your existing OS, so paperweight isn't really accurate. However a PC without a bootable OS isn't much use, particularly if you don't have the disc or the ability to use it, so it's not too far fetched - depends on your angle. If you can't repair it, then it's a paperweight.
While I accept that I probably could be a little more realistic, I prefer not to let a poster think that there isn't a risk with this rather than have then surprised if things don't go according to plan.

If you get the MBR from Dell, or any identical PC that you can get your hands on, then you can overwrite and be done. If you can't, or if the MBR gets corrupt in the process, then running the command fixmbr from within the Recovery Console is the next option - it will do the same as using MBRCheck and has the advantage that you don't need to be in Windows proper to run it.

I'm off for a quick dabble with Godfather as i've nearly become Don of NYC again, and as it's nearly night-nights where I am, you'll have to wait till the morrow to sort this out.

So long, and thanks for all the fish.

 

 


#7 dicktater

dicktater
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:37 PM

Posted 11 August 2010 - 05:05 PM

QUOTE(Noviciate @ Aug 11 2010, 05:35 PM) View Post
I'm off for a quick dabble with Godfather as i've nearly become Don of NYC again, and as it's nearly night-nights where I am, you'll have to wait till the morrow to sort this out.

Night nights where you are. Must be on the east side of the Atlantic. No luck with Dell. I'll need to install the recovery console then. Is using Combofix to install the recovery console recommended or should I just boot from an XP CD?

Have fun!

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:37 PM

Posted 12 August 2010 - 01:59 PM

Good evening. smile.gif

Fun had.

I prefer to use the Windows disc for the Recovery Console as you should be confident that nothing has had the opportunity to corrupt anything - you just can't rely on nasties to leave safety nets alone these days and a well crated deletion will render the installed RC deaded.

You get the standard post for this, so ignore the bits you already know and post accordingly:

Step 1: You will need to set the CD-Rom as first boot device if it isn't already. There's a handy pictorial guide here. As long as you don't get too carried away you won't do any harm, and you should get the option to exit the BIOS without saving any changes if you are unsure what you did was right.
Obviously if you are sure, make sure that you exit with changes saved.

Step 2: Boot from the disc, access the Recovery Console and run the command fixmbr - handily, you get a walkthrough of both the Recovery Console and repairing the MBR here.

Windows may warn that your MBR is non-standard and prompt for confirmation - this is due to the MBR being infected and you should tell Windows to continue.

Step 3: Once you have rebooted the PC, run MBRCheck.exe again and let me have the log produced. Please make sure you post the latest log, the date will be in the file name, or we'll go round in circles until the end of time.

If I haven't made something clear, please ask BEFORE you begin.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

One final thought, as long as you don't mess with the actual configuration of your drive, if at any time in the future you manage to get your hands on a Dell MBR of the right type you can overwrite the existing one and restore your Factory Restore option.

So long, and thanks for all the fish.

 

 


#9 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:37 PM

Posted 17 August 2010 - 02:50 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users