Maximum PC

Hello to all who read!
I recently got a really bad (what I am suspecting it to be) rookit on my WinXP machine. My PC rebooted numerous times and after a few I got a Fake AV warning. I ran MalwareBytes, SUPERAntiSpyware, ComboFix, and RKill in safe mode and using a different account (I have found that sometimes malware only runs on the user account it was installed on) and they all froze. A complete reinstall of windows only got rid of the message for a few days but rebooting still occurred
Right now I have a LiveCD of Ubuntu running on it so my family can still use it.
Any ideas?
Thanks!

Sounds to me like it wrote itself to the master boot record.

Go into safe mode command prompt and type FIXMBR, hit enter. Do not go into windows! Shut down the pc, pull the plug and then hit the start button, this is to make sure it isn't living in ram. Restart the pc, format the drive and reload windows.

Nasty

Nasty is on the right path.... but fixmbr does not work in safemode... you have to do it from recovery environment... with windows xp its with a windows install disk(Just press R for recovery console) from their you can login and type fixmbr, After this you must type fixboot or you will not be able t "o boot up

In windows vista or 7, press f8 when booting... repair your computer(if you dont have that option then you have to use a full install disk and press repair your computer from the screen that has the install button on(down near the bottom) open the command prompt in the advanced options... make sure you in the correct drive(select C: or D: type in DIR to verify) then type bootrec.exe /fixmbr, then bootrec.exe /fixboot.

armyof1ne,

I have used what I suggested in XP and it works if you go to the command prompt in safe mode.

The poster never said what OS it was...just assumed...which is bad.

Nasty

really? i dont know how thats possible it would screw the local partition and modify boot sectors and everything(as in... partition location, most start off as harddrive0/partition1 or 0) does it say it will do it on next reboot or something, dont have time to test but... that doesnt make sense to me that it could do it in windows... it couldnt dump the active partition tables like that and still function

Not in windows....safe mode command prompt. Honest injuin' it works....also works if you use the command prompt using the cd.

http://www.microsoft.com/resources/docu ... x?mfr=true

opps guess I blew it What the hell did the command do when I ran it in safe mode....I know it did something because there was a hesitation then the blinker came back to normal after a couple of seconds.

The hard drives utility to setup a new drive also has within it an option to rebuild the MBR. I have done this to WD drives in the past when I suspected malware on the MBR, or just to be safe on a new build.

Nasty

Thanks to all posts!
Will attempt...

I have a hard time believing that this is something on the MBR too...

With what you've laid out, my only suggestion is to either install ubuntu or format your drive with reinstalling...which is something that didn't seem to have occurred.

Outside of that, you probably want to post a hijaakthis log...

It has to be in the MBR or linked into either the exe shell commands or some other shell command..... for it to reinstall like that during reboot makes me think a Rootkit... since its added a few days after to start menu(probably by the rootkit files) hence why i said try TDSS killer.... It may be TDL5 which nothing detects yet.... still.... 6 months later, rebuilding the MBR is the only option for TDL5, If he got TDL4... then the TDSS killer would tell him that

Safe mode command prompt is still using the windows OS to function.... It may not have the shell gui up(explorer.exe) but it still functional within windows, this is why it hurt my head when you said that... i was like.... MY MIND HAS BEEN BLOWN!... I would think you could do fixmbr on non-active partitions still... ones that arent primary to the OS... it would be no different than doing it offline in recovery console... at least i think