Inactive [A] "Windows delayed write failed" pop-ups, files missing, fake "Windows security"

[jellybeans07]

I figured it was pretty serious... judging by all that's been affected. Kind of crazy that for the past 2 months or so I haven't had up to date anti-virus software and I get this free McAfee crap with my Cox package and now my computer is going to sh*t

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 1 (build 6
001), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: df1c10548966c4f16c540ebf80ffd180

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...

 

[Broni]

We need to reset your MBR.

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

• Place a blank CD in your CD drive.
• Double click on NTBR_CD.exe file and a folder of the same name will appear.
• Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
• Follow the prompts to burn the CD.

• Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
• If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

• Insert the newly created CD into your infected PC and reboot your computer.
• Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
• Read the warning and then continue as prompted.
• You first need to select your keyboard layout - press Enter for English.
• Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
• On the following screen enter 5 to select Install Standard MBR code.
• Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
• When asked to confirm please do so.
• Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
• Eject the disc and then press ctrl+alt+del to reboot the PC.

Once rebooted, run Bootkit Remover again and post its log.

 

[jellybeans07]

I'll have to try to find a blank cd somewhere around here... it might be a while but once I do and complete those steps, I'll get back to you. And thank you very much for all of your help so far. I've been waiting for you to say this is too much work and I'm SOL

 

[Broni]

If you have Vista DVD we do it in different way.

 

[Broni]

Reopened......

 

[jellybeans07]

I followed all of the above steps and re-ran Bootkit. Also, should I change my computer settings back to the original boot settings or leave that alone for now?


Bootkit Log

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 1 (build 6
001), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

 

[Broni]

Good.

It's been a while so please update me on current issues.

 

[jellybeans07]

Well, I can log on fine and get on the internet, still can access programs by clicking the start button and then "all programs" but everything else on the start menu is blank. My desktop background is still black and I have no idea how to access my documents or pictures- even when I go through my computer they seem to have vanished. Every few days I get a pop up about a MalWareBytes error but I can't remember exactly what it says at this time. No more website redirecting nor am I still getting a mass of other pop-ups after logging in.

 

[Broni]

but everything else on the start menu is blank

What do you mean by everything else?

My desktop background is still black

Did you try to change it manually?

 

[jellybeans07]

Like how normally when I click the start button and the start menu has links to my documents, control panel, etc, nothing's there but "All Programs" and "Computer" leaving the rest of the menu blank. I just changed my background though, thank you. I don't know why I didn't think to try things the simple way.

 

[Broni]

Are you talking about area 1 or 2?

 

[jellybeans07]

Both areas. I have the "All Programs" at the bottom of Area 1 and a Link that says "Computer", not "My Computer" in area 2 and the rest is blank.

 

[Broni]

Left side is not a problem.
The upper part lists programs pinned to start menu.
You can pin any program there by right clicking on a program and clicking on "Pin to start menu".
Lower part lists frequently used programs. It'll populate over time, but you have to check something.
Right click on Start button, click "Properties" and make sure both boxes in "Privacy" section are checked.

While in "Properties" window you can take care of right side of the Start menu.
Click on "Customize..." button and checkmark all items you want to have visible on the right side of Start menu.

OK your way out.

 

[jellybeans07]

They weren't checked but I went ahead and did so and now it's back to normal. So, because all of the logs were jibberish to me- is my computer looking better compared to the first logs that were posted? Also, any suggestions on how to recover my documents and pictures?

 

[jellybeans07]

Also, the "accessories" folder is missing. Don't know if that's a big deal or how to get that back...

 

[Broni]

We're not done yet...

how to recover my documents and pictures?

More details please.

"accessories" folder is missing

In Start>All Programs?

Please upload new Junction log because the other one expired.

 

[jellybeans07]

While all of my programs seem to be in tact, if I try to access my documents or pictures on the c:drive those folders are empty. I don't know if they're just hidden or actually gone. And yes- going to Start>>All Programs, Accessories isn't there.

Here's the new junction log:
http://www.filedropper.com/newjunctionlog

 

[jellybeans07]

Also, I just noticed that when I search using the start menu, my pictures and documents show up as results so they're still here apparently.

 

[Broni]

Let's see, if we can recover your missing features.
Download and run UnHide
Let me know, if it worked.

As for "Accessories" download and run this utility http://download.bleepingcomputer.com/grinler/fakehdd/vista-32-sm-reset.exe

 

[jellybeans07]

UnHide brought back my Accessories, documents, and everything. Nice! I just noticed the fake Windows Security Alerts icon is still in the taskbar and McAfee still won't run- just get an error message when I try.

 

[Broni]

Good news

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[jellybeans07]

Just an update: like last time, I'm having problems running ComboFix and I've been working these past few days but I'm gonna keep trying and will let you know how it goes on Wednesday.

 

[Broni]

OK...........