Win32:Kelihos-S[Trj] & faked MBR code

[MistyLake]

I apologize for the mishmash of logs I'm about to send in this and the following posts, but today is the first day I have been able to complete all scans in one sitting (yay!)

Attached, you'll find the most recent MBAM Quick Scan log.

[MistyLake]

Attached, you'll find the OTL log from the first time I ran the Quick Scan.

[MistyLake]

And here's the OTL log from today's Quick Scan.

[MistyLake]

I wasn't able to "force" a new Extras log today, so I'm attaching the one from the first Quick Scan I did.

[MistyLake]

This is the aswMBR QuickScan log.

[Pondus]

I wasn't able to "force" a new Extras log today, so I'm attaching the one from the first Quick Scan I did.

It is only created at first scan      just some extra system info

[MistyLake]

I should explain that on 10/16/10, I fell for the USAJobs PDF exploit lurking in what I thought was an innocent message in my Yahoo inbox.  It changed my Desktop, Firefox homepage, and wouldn't allow me to access antimalware software, antimalware-related websites, or to install any antimalware programs I had downloaded to a flash drive from an uninfected computer.

A friend took the hard drive out of the tower and scanned it but could find nothing, so he returned the computer to me, but I was still having problems with it running slowly and never going into Sleep mode.  I then started receiving e-newsletters I had never signed up for, even after changing my Yahoo password multiple times, so my friend recommended I simply restore my computer to factory settings.

I thought that would take care of the problem, but it obviously did not, because I discovered a strange login name on DD7's computer account on 7/27/11.  So, I downloaded and followed MakeUseOf.com's Malware Removal Guide.  I wasn't particularly happy when I installed AIS and discovered I had Win32:Kelihos-S[Trj], a decompression bomb, and several corrupted archives, but I was overjoyed to find my computer actually running normally and going into Sleep mode for the first time.

My bubble burst, however, when I got to Step 19 of the Removal Guide.  I ran aswMBR but noted in the log that it hadn't scanned D drive (yes, I now know what MBR stands for but, at the time, thought the program was yet another virus scanner), so I clicked on the drop-down to select D but opted to try a Full Scan of C drive first.  The program crashed whether I was in Normal or Safe Mode, so I went online to find a fix and discovered MBRCheck, which found "MBR Code Faked!"

So, here I am now, seeking more knowledgeable help
ML
--
HP s3707c
AMD Athlon 64x2 Dual Core Processor 5400+ 2.80 GHz
4.00 GB RAM
64-bit Vista Home Premium SP2
running KIS at time of infection, then switched to Norton360, now using AIS
MBAM has never found a thing on my computer, whether my PC was infected or not

[MistyLake]

It is only created at first scan      just some extra system info

Thanks for letting me know, Pondus

[essexboy]

Here you go Misty - a quick MBR fix first whilst I check out the OTL log

Run MBRCheck.exe once again.
 
You will be presented with the following dialog:
 

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

 
Enter Y and press Enter.
 
The following dialog will be presented:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
 
Enter your choice:

 
Enter 2 and press Enter
 
The following dialog will be presented:
 

Enter the physical disk number to fix (0-99, -1 to cancel):

 
Enter >>0<< and press Enter
 
The following dialog will be presented:

Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel
 
Please select the MBR code to write to this drive:

 
Enter >>3<<  and press Enter
 
The following dialog will be presented:

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue:

 
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!
 
And last the following dialog will be presented:
 

Done! Press ENTER to exit...

 
Press Enter. A report will be produced on the desktop. Post that report in your next reply.

[MistyLake]

Note to self:  Never, never, ever, ever reboot when a log tells you to; always wait until an expert avast! Evangelist advises you to do so ^///^

I'm afraid I had to reinstall my OS, essexboy, so I must post entirely new logs  Hopefully, we'll be able to correct the faked MBR code--which still exists on my PC--without my making another disastrous error!  Attached, you'll find the most recent MBAM log.


ML
--
HP Pavilion s3707c
AMD Athlon 64 X2 Dual Core Processor 5400+ 2.80 GHz
4.00 GB RAM
NVIDIA GeForce 9100
Windows Vista Home Premium SP2 (64-bit)
MBAM since PC purchased (Mar 2009)
KIS when infected (Oct 2010), Norton360 after System Restore (Feb 2011), AIS after strange login found on PC acct (Jul 2011), NIS 2009 after System Recovery (Sept 2011)

[MistyLake]

Here are both OTL logs.

[MistyLake]

Here is the aswMBR log (3a).  I, of course, cannot attach the DAT file (3b).

[MistyLake]

And here is the MBRCheck log (4) and the MBRCheck report (4a).  Again, I am unable to attach the DAT file (4b).

[essexboy]

OK the MBR is still faked and this is obviously the tougher variant.  So we will need to fix it whilst it is inactive 

Create a Windows 7/Vista System Repair Disc
 
Note: the below can only be done if your machine has a a type of CD/R or DVD/R optical drive installed. Also depending on the exact type of OEM your machine has you may be unable to actually create a SRD.
 

• Click on Start(Windows 7 Orb) >> Run...(or the Windows key and R together) to bring up the Run box, then copy/paste the following command into the box and click on OK:
   
  

  recdisc.exe

  
  
• Allow the UAC(User Account Control) prompt via selecting Yes.
  
• You should now see a menu like the below:-

 

• Put a blank rewritable  CD/DVD in your optical(CD/DVD) drive and then click on Create disc.
  
• Note: If a AutoPlay window pops up, just close it.
  
• When the SRD has been created you will see the below:-

 

• Now click on Close >> OK. Leave the disc in the drive as we will be using it shortly.
  
• You now have a Windows 7/Vista System Repair Disc.
  

.
Reboot the computer and start from the CD



When you reboot you will  see this although yours will say windows 7. Click repair my computer

 
Select your operating system

 
Select Command prompt

 
At the command prompt type the following 
 

Bootrec.exe /FixMbr 
 

• Once finished type Exit

Reboot to normal windows and run MBRcheck again please

[MistyLake]

This might be a silly question, but aside from deleting my desktop icons and disabling shortcuts willy-nilly, can malware on a computer actually delete an OS?  I ask because it's the only explanation I can think of for why I found my PC "awake" and asking me to "Reboot and Select the proper Boot device/or Insert Boot Media in the selected Boot device and press a key" last night.

Once again, essexboy, I've had to reinstall my OS, so I'll be attaching fresh MBAM & OTL logs.  I also was not able to create an SRD (nothing happened after I approved the UAC prompt).

Getting too old for this,
ML ;-)
--
Windows Vista Home Premium SP2 (64-bit)
HP Pavilion s3707c
AMD Athlon 64 X2 Dual Core Processor 5400+  2.80 GHz
4.00 GB RAM
NIS 2009 and MBAM