Hello,
I have tried to delete the following: MBR:\.\PHYSICALDRIVE 0\Partition4
It is not working. I am unfamiliar on how to get rid of this, so any help would be appreciated.
If you are unfamiliar you are best getting qualified help.
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
There may be some delay due to differing time zones and availability of the volunteer malware removal specialists.
Thank you! Here is the data:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.24.07
Windows 7 Service Pack 1 x64 NTFS
8/25/2012 10:39:48 PM
mbam-log-2012-08-25 (22-39-48).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235500
Time elapsed: 3 minute(s), 3 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
we also need OTL and aswMBR logs
Here is the aswMBR log. OTL to follow. Thank you!
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-25 22:54:07
22:54:07.084 OS Version: Windows x64 6.1.7601 Service Pack 1
22:54:07.084 Number of processors: 2 586 0x2A07
22:54:07.084 ComputerName: THEBRYANTS UserName: Tony
22:54:08.664 Initialize success
22:54:08.796 AVAST engine defs: 12082501
22:54:22.406 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
22:54:22.416 Disk 0 Vendor: Hitachi_ ES2O Size: 305245MB BusType: 3
22:54:22.426 Disk 0 MBR read successfully
22:54:22.436 Disk 0 MBR scan
22:54:22.436 Disk 0 Windows 7 default MBR code
22:54:22.446 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13312 MB offset 2048
22:54:22.466 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 100 MB offset 27265024
22:54:22.486 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 291817 MB offset 27469824
22:54:22.516 Disk 0 Partition 4 80 (A) 17 Hidd HPFS/NTFS NTFS 10 MB offset 625113088
22:54:22.516 Disk 0 Partition 4 INFECTED MBR:SST [Rtk]
22:54:22.556 Disk 0 scanning C:\Windows\system32\drivers
22:54:30.050 Service scanning
22:54:58.040 Modules scanning
22:54:58.380 Disk 0 trace - called modules:
22:54:58.430 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8003ff5334]<<iaStor.sys hal.dll
22:54:58.440 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8003fd4230]
22:54:58.450 3 CLASSPNP.SYS[fffff88001a5a43f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8003b06050]
22:54:58.460 \Driver\iaStor[0xfffffa8003a794d0] → IRP_MJ_INTERNAL_DEVICE_CONTROL → 0xfffffa8003ff5334
22:54:59.120 AVAST engine scan C:\Windows
22:55:01.972 AVAST engine scan C:\Windows\system32
22:56:28.787 AVAST engine scan C:\Windows\system32\drivers
22:56:38.133 AVAST engine scan C:\Users\Tony
22:57:07.487 Disk 0 MBR has been saved successfully to “C:\Users\Tony\Documents\MBR.dat”
22:57:07.507 The log file has been saved successfully to “C:\Users\Tony\Documents\aswMBR.txt”
I just attempted the OTL scan. Once it got to Scanning HKey-Users etc. I received an OTL Error Code 1717 - The interface is unknown. I pressed OK and I did not receive any logs. Please advise.
Could you reboot please and press then hold F8, on the menu that appears do you have the option “Repair my Computer”
If not do you have the windows CD
If not do you have access to a USB of at least 1GB
I tried F8 and it will not allow me to repair. I also do not have the CD’s but I do have a usb.
Download the following three programmes to your desktop :
[] WiNTBootIc
[] Windows 7 64bit RC
[*] Listparts
Extract wintoboot to your desktop
Insert a USB drive of at least 4GB
Run Wintoboot
http://dl.dropbox.com/u/73555776/wintoboot.JPG
Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It
You will see it progressing
http://dl.dropbox.com/u/73555776/usb%20progress.JPG
It will let you know when it is done
Then copy Listparts64 to the same USB
http://dl.dropbox.com/u/73555776/frstwintoboot.JPG
Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here
When you reboot you will see this although yours will say windows 7.
Click repair my computer
http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg
Select your operating system
http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg
Select Command prompt
http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg
At the command prompt type the following :
[*]In the command window type in notepad and press Enter.
[*]A Notepad window will open. Under File menu select Open.
[*]Select “Computer” and find your flash drive letter and then close Notepad.
[*]In the command window type e:\listparts64 and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.[*]Press Scan button.
[*]When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes on the flash drive.
Hi. I was unable to run any of the programs, as a box kept popping up displaying the following: Stopped Working Windows is checking for a solution to the problem. Please advise. Thank you.
Could you create the USB on a different computer, as the malware appears to be blocking it on your computer
I was able to do the first program on another computer. However, when I attempt to save the Windows 7 Recovery Disk to my desktop, my computer wants to make a disc. How do I save it to the desktop and then proceed with the rest of the instructions?
You need to drop the windows ISO file into wintoboot. Again do this on a different computer
http://dl.dropbox.com/u/73555776/wintoboot.JPG
Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It
You will see it progressing
Done. I also used a different computer. After I rebooted and inserted the USB, a message came up that read: No bootable partition in table. Please advise.
Darn there is probably a minor problem with the USB format…
Can you burn the ISO to a CD … That is a bit more time consuming I am afraid
Or we can use a straight Linux disc
I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)
Create a bootable CD, for Gparted from the ISO image.
You can use ImgBurn do this.
Now boot off of the newly created Gparted CD.
You should be here… Press ENTER
https://dl.dropbox.com/u/73555776/Gpart-Start.GIF
By default, “do not touch keymap” is highlighted.
https://dl.dropbox.com/u/73555776/Gpart-keyselect.GIF
Leave this setting alone and just press ENTER.
https://dl.dropbox.com/u/73555776/Gpart-continue.GIF
Choose your language and press ENTER. English is default [33]
At the mode prompt enter 0, press ENTER
You will now be taken to the main GUI screen below
https://dl.dropbox.com/u/73555776/Gpart-partitions.GIF
According to your logs, the partition that you want to delete is 10 MB
Right click this partition and select delete .
https://dl.dropbox.com/u/73555776/GPart-delete.GIF
The Partition has gone
Now select Apply
Now you should be here:
https://dl.dropbox.com/u/73555776/Areyousure.GIF
Select Apply after double checking that the right partition was deleted
Is “boot” next to your OS drive (100 MB partition ) ?
If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags
https://dl.dropbox.com/u/73555776/GPart-flags.GIF
In the menu that pops up, place a checkmark in boot like the picture below, then close :
https://dl.dropbox.com/u/73555776/GPart-bootflag.GIF
Under File select Quit
https://dl.dropbox.com/u/73555776/Gpart-quit.GIF
You will see this small Popup
https://dl.dropbox.com/u/73555776/Gpart-reboot.GIF
Choose reboot and then press OK.
Done - it actually worked! Thank you!!! Is there anything else I need to do?
Yep could you run a fresh OTL scan please and let me know of any problems at all
Attached are the OTL Logs.
Sorry. Here is the Extras LOG from OTL.
It is now 2am in the UK so essexboy is in bed, he will be back tomorrow late morning/afternoon.