Infected with MBR:\\.\PHYSICALDRIVE0\Partition4 Need help, thanks!

My son’s computer is infected with this nasty virus. Is it possible since he’s uses our home wireless network that my computer is infected? I need help removing this from his computer - I reinstalled Windows but I’m sure you know that won’t fix this nasty one. I’ve read forums and I think I have done what is needed. Here are my log results:

Adware:

AdwCleaner v2.109 - Logfile created 01/27/2013 at 11:15:41

Updated 26/01/2013 by Xplode

Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

User : Brian - BRIAN-PC

Boot Mode : Normal

Running from : C:\Users\Brian\Downloads\adwcleaner.exe

Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [Internet Browsers] *****

-\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\ Mozilla Firefox v18.0.1 (en-US)

File : C:\Users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\802ayjxx.default\prefs.js

[OK] File is clean.

-\ Google Chrome v [Unable to get version]

File : C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.


AdwCleaner[S1].txt - [824 octets] - [27/01/2013 11:15:41]

########## EOF - C:\AdwCleaner[S1].txt - [883 octets] ##########

hey and welcome to the forum. a malware expert will help you from here when one is online.

Hi and welcome,

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

[*]Disable any script blocking protection
[*]Right-click and Run as Administrator dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.

Please attach the contents of the following in your next reply:

DDS.txt

Attach.txt

http://i1224.photobucket.com/albums/ee380/jeffce74/TDSK.jpg
Please download TDSSKiller

[*]Double click TDSSKiller.exe
[*]Press Start Scan
[*]If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
[]Do Not Attempt To Fix Anything Now. We just need to look over the report and be sure we are removing the correct items.
[
]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)


Here you go…thank you for your help!

Hi,

http://i1224.photobucket.com/albums/ee380/jeffce74/FRST.jpg
FRST

Download the 64 bit version for your system of FRST and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

[*]Restart the computer.
[*]As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
[*]Use the arrow keys to select the Repair your computer menu item.
[*]Select US as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

[*]Insert the installation disc.
[*]Restart your computer.
[*]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
[*]Click Repair your computer.
[*]Select US as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Here it is.

In the run box type the following

diskmgmt.msc

When disc management opens expand it so that all drives are visible
Take a screenshot and post it here

Are you able to burn a CD on another computer ?

I will do this as soon as I get home. My other computer has crashed at home but I may be able to stop somewhere on my way home to burn something. Let me know what it is - thanks!

Please print out these instructions so it will be easier for you to follow along,

We need to delete the malware partition and set the proper boot partition as active

please do the following:

I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

You should be here… Press ENTER

https://dl.dropbox.com/u/73555776/Gpart-Start.GIF

By default, “do not touch keymap” is highlighted.

https://dl.dropbox.com/u/73555776/Gpart-keyselect.GIF

Leave this setting alone and just press ENTER.

https://dl.dropbox.com/u/73555776/Gpart-continue.GIF

Choose your language and press ENTER. English is default [33]

At the mode prompt enter 0, press ENTER

You will now be taken to the main GUI screen below

https://dl.dropbox.com/u/73555776/Gpart-partitions.GIF

According to your logs, the partition that you want to delete is 10 MB

Right click this partition and select delete .

https://dl.dropbox.com/u/73555776/GPart-delete.GIF

The Partition has gone

Now select Apply

Now you should be here:

https://dl.dropbox.com/u/73555776/Areyousure.GIF

Select Apply after double checking that the right partition was deleted

Is “boot” next to your 100Mb system drive?
If “boot” is not next to your 100Mb System drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags

https://dl.dropbox.com/u/73555776/GPart-flags.GIF

In the menu that pops up, place a checkmark in boot like the picture below, then close :

https://dl.dropbox.com/u/73555776/GPart-bootflag.GIF

Under File select Quit

https://dl.dropbox.com/u/73555776/Gpart-quit.GIF

You will see this small Popup

https://dl.dropbox.com/u/73555776/Gpart-reboot.GIF

Choose reboot and then press OK.

When you get this finished up…run a new scan with aswMBR and attach the new log.

These links don’t open up for me? I think they’re bad? Can you please send new ones? Thanks.

Sorry about that. Thanks for letting me know.

Download Tuxbot to your desktop
Run Tuxboot
On the first screen in the dropdown box select Gparted Live - stable

https://dl.dropbox.com/u/73555776/Tuxboot.GIF

Select USB Drive from the Type drop-down.
Select the correct USB device from the Drive drop-down.
Click OK. This will start the process of creating the bootable USB device.

The instructions along with screenshot for Tuxbot are Here

Now boot off of the newly created Gparted USB.

You should be here… Press ENTER

https://dl.dropbox.com/u/73555776/Gpart-Start.GIF

By default, “do not touch keymap” is highlighted.

https://dl.dropbox.com/u/73555776/Gpart-keyselect.GIF

Leave this setting alone and just press ENTER.

https://dl.dropbox.com/u/73555776/Gpart-continue.GIF

Choose your language and press ENTER. English is default [33]

At the mode prompt enter 0, press ENTER

You will now be taken to the main GUI screen below

https://dl.dropbox.com/u/73555776/Gpart-partitions.GIF

According to your logs, the partition that you want to delete is 10 MB

Right click this partition and select delete .

https://dl.dropbox.com/u/73555776/GPart-delete.GIF

The Partition has gone

Now select Apply

Now you should be here:

https://dl.dropbox.com/u/73555776/Areyousure.GIF

Select Apply after double checking that the right partition was deleted

Is “boot” next to your OS drive?
If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags

https://dl.dropbox.com/u/73555776/GPart-flags.GIF

In the menu that pops up, place a checkmark in boot like the picture below, then close :

https://dl.dropbox.com/u/73555776/GPart-bootflag.GIF

Under File select Quit

https://dl.dropbox.com/u/73555776/Gpart-quit.GIF

You will see this small Popup

https://dl.dropbox.com/u/73555776/Gpart-reboot.GIF

Choose reboot and then press OK.

Once back in normal windows then run aswMBR please.

The program won’t run for me - see attached.

Ok…run a new scan for me with FRST and attach that please so that we can get a fresh look. :slight_smile:

Here’s the log.

ListParts

For x64 bit systems please download Listparts64
Run the tool, click Scan and attach the log (Result.txt) it makes.

Here’s the log with the box checked for bcd (whatever that is).

Scan without checking the box. Wasn’t sure which way so I did it both ways.

Hi,

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it in the same directory ListParts is located as fix.txt

Disk=0 Partition=4 delete

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

[*]Run ListParts.
[*]Press Fix button.
[*]When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes.


Still need help?

Yes, sorry, your reply didn’t get emailed to me and I was just logging in to PM you and found your replies - sorry! Here’s the scan results. Thanks!