Weird MBR Volume Extra Drive Show Up

[EcoGreek]

Ok ,this is really weird. I don't know if someone is taking over my computer or what. Boot up is really slow with process taking 50% CPU. Account unknown is on the logon under permissions as well as the console logon. I have to kill the process or else the process keeps using up my ram. This is on a Intel dual core processor with Windows 7 professional home and 2gb of ram on a 320HD.

When I get email in outlook, clicking on the message opens up my browser as though looking for a server and I get an error message. file:///C:/Users/Hannspree/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/%7B89314F91-B675-4CF9-A7F2-544F14BA1676%7D/%7BE78C07C0-7AAE-4B63-BB6C-D692F73D3559%7D.html

I happen to look a C:\ drive under properties. I click on defrag and I get an extra volume or drive showing up. What is more strange is the fact is that I just happen to click on the C Drive and click on tools and then defrag, it shows a strange volume or disk. I have no idea where or how that disk got on my computer. It looks like a redirect to a server somewhere.
\\?\Volume{c0a6d66c-fee7-11df-8ee8-806e6f6e6963}\


MBRCHECK shows

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`77100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000b`3b100000 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200BEVT-22ZCT0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Unknown MBR code

I ran bootrec /fixmbr which works but it still shows up in C: Drive under defrag.

Any ideas on what's going on or how to get rid of this drive or volume?
SHA1: 932574F4079BA24A086DB856C58A224C97813B78

First pic is the problem showing the volume drive
second pic shows computer management in control panel everything looks normal.
third pic shows what started the whole problem in email

Yikes what going on. Has my computer become a zombie to spam out email? I have all the latest anti-virus and malware software install monitoring in real time.

 

[speedgamer01]

Download TDSS Killer, and run it. If it finds any viruses (marked with red, and not yellow which is only a notice) follow the instructions here.
Download and install MalwareBytes, update virus library (or whatever it is called) disconnect internet and run a full scan!
This is a laptop right? That partition seems to be your windows Vista/7 recovery and install partition.
Originally it was/is a hidden partition for windows installer files. Have you used it previously, did you buy the laptop with windows 7?

 

[EcoGreek]

I am running SAS, Avira, WinPatrol, Spyware Blaster, Spybot, Malwarebytes, Windows Defender in Real time. I ran all files nothing. The problem is that something is taken over my laptop and using 50% CPU in svchost file with an unknown account number. It started in Outlook when I click on an email file it launches Firefox as those my machine is a zombie sending out spam.

I ran Avira rootkit, Sophos rootkit, TDSS killer and nothing. Has me stumped.

 

[speedgamer01]

Go to C:\Users you will have to see 2 or 3 accounts: Yours, Public, Default (don't mind if you don't see default because it is hidden)
If there are any other accounts, delete or put them to another directory (better would be to put them into quarantine/block access with your AV)
What about your preinstalled OS?

 

[EcoGreek]

Ok, under C:\Users I have showing:
Administrator
All Users with a lock
Default
Default User with a lock
Hannspree with a lock
Nancy
Public
In Control Panel, under user accounts, I have Administrator, Nancy, Guest turn-off

What's weird is why is this drive only showing up under defrag only and not under windows explorer or admin panel. Rootkit in MBR or Kernel?

Really confused. Thanks for your help

 

[speedgamer01]

No no no, that is because it doesn't have a drive letter assigned:
Please scroll down to: 6. To Add a Drive Letter
http://www.sevenforums.com/tutorials/82994-drive-letter-add-change-remove-windows-7-a.html

 

[EcoGreek]

It will not allow me to add a drive. I right click and all I get is a square box with help in it. If I click on the other drives or volumes, it brings up the screen in 6. Add Drive Letter.

 

[speedgamer01]

Please use this partition wizzard then.
Try to add driver letter, if that fails, Delete (Not wipe or format) that extra partition.
Make a new partition to the maximum size available and set NTFS file format.
Now try to add a drive letter again!
I hope this solves the problem..

 

[EcoGreek]

Just to show what happens when I am running the computer, svchost.exe 6048 shows the CPU Usage and it can be another svchost.exe number - doesn't matter - everytime I boot up. Examining svchost.exe shows an unknown account logged in on console logon and my logon and the CPU constantly runs at 48 -50% until I remove the unknown account and kill the process. Then everything is find.

That why I think my computer has been compromise as it started in July after I started doing some work at various internet cafe places.

I'll try your solution.

Thanks for your help

 

[speedgamer01]

Wait you can not run all of those AVs simultaniously! You should choose one and uninstall/disable the others!!!!
I suggest Avira or Malwarebytes, decide which u want and remove all the others.
Also type msconfig into start menu and hit enter, a new window will come up go here:

and check "Hide all Microsoft services" now disable all expect your antivirus (whichever you have chosen to keep)