Please Help Physical Drive Partition3 + new Problem!

Dear Community,

I’m very lost with this problem and greatfull in advance for any help.
Allthough I tried to read up I’m afraid I’m not completely familliair with the do’s and don’ts proper to this communication.
Please point them out when I mis something.

My question is this,

MBR: \.\ PHYSICALDRIVE0\PARTITION3 comes up in AVAST

Sandbox warns me with 5947c1.exe in application data

and keb\qepet:.exe

I have attached an ASWAR and MBAM log

(No idea what I’m doing)

Looking forward for any help

Sincerely

welcome to the forum. i think this needs further investigation of an malware expert so fallow this guide and post the results here except the malware bytes send it already have been attached before from you.

http://forum.avast.com/index.php?topic=53253.0

Thanks for the welcome and reply.

… I finished the OTL scan and saved them on my desktop.
Then I proceeded to download the aswmbr.exe to my desktop
after dubble click my pc was locked with a message saying that Buma (dutch company) locked my computer. After paying €50,= I would receive a code that would unlock my pc.

Tried everything, exept paying ofcourse, but I cannot get acces to my pc anymore…
So I have a working laptop and an infected pc which is now unaccesable (for me)

What can I do?

Thanks in advance.

Sounds like You are infected with a Trojan.Ransom

essexboy…the removal spesialist is notified

I greatfullt await furder instructions :slight_smile:

First can you access safe mode to attach the OTL log, as these normally run from the winlogon/appint areas

If so I can use OTL to remove it… If not can you burn a CD so that I can work outside of windows ?

Thank you for your help in advance!

I won’t be able to access my pc in the next ten hours.
The moment I can I will be trying to retreive the OTL.
Safe mode is, as it seems to me, not an option.

I have an Ultimate Boot Cd v. 5.1.1.
Can ( and if so, how do) I use this tool? …

Otherwise, how do I make a disc and get it to you?

Much apreciated

OK there is a CD that you can burn that will enable us to run OTL outside of windows

OK next we will work outside of windows then Please print these instruction out so that you know what you are doing

[*]Download OTLPENet.exe to your desktop
[*]Download the attached scan.txt to a USB drive
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
[*]Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :slight_smile:
[*]Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
[*]Double-click on the OTLPE icon.[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start
[*]Drag and drop the scan.txt file from the USB into the Custom scans and fixes box, or double click the scan box
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.

I couldn’t post the content in my reply, over 10000 characters, so I attached the file.

(No idea what just happened… 8) )

Here we go, lets get you back to normal

Run the Reatogo disc again if it is not already running
Download the attached fix.txt to your USB drive and put it in the sick computer
Run OTLPE and click the Run Fix button
OTL will ask for the location of the fix.txt navigate to it and select
Press Run Fix again
Once it has completed the run Boot to normal windows and run aswMBR and a fresh OTL scan , select all users

Post the resultant logs

Not able to run aswMBR, just won’t open…

Attached the log from the fix and a fresh OTL…

That should have killed the ransom ware - seeing as you are back in normal windows ;D

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

I consider myself a non violent individual but I like the part where something got killed on my pc… 8)

Working on and posting when ready

:frowning:

Also Unable to open TDSSKILLER…

Thought so

I will need to check your partitions now and get you to burn yet another disc

Could you type the following into the start > run box :

Diskmgmt.msc

This will open disc management console
Ensure that all partitions are visible and then take a screenshot posting it here

Meanwhile the next disc to burn

I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

screenshot attached,

Working on the cd…

Thanks

Fresh out of the oven 8)

I’ll be off for the nxt ten hours

OK I see it it is the 1MB partition

Now boot off of the newly created Gparted CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png

You should be here… Press ENTER

http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png

By default, “do not touch keymap” is highlighted.

Leave this setting alone and just press ENTER.

http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png

Choose your language and press ENTER. English is default [33]

http://img140.imageshack.us/img140/7958/gpartedgui.th.png

Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below

http://img32.imageshack.us/img32/1122/gpartedo.th.png

According to your logs, the partition that you want to delete is 1 MB

Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:

http://img233.imageshack.us/img233/1533/gpartedsteps.th.png

Now you should be here:

http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png

http://img194.imageshack.us/img194/7753/gpartedboot.th.png

Is “boot” next to your OS drive?

If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:

http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png

Now double-click the
http://img822.imageshack.us/img822/641/gpartedexit.png
button.

You should receive a small pop up like this:

http://img88.imageshack.us/img88/8986/gpartedexitreboot.png

Choose reboot and then press OK.

Once back in normal windows please run aswMBR and post the scan log

Yes! Could run aswMBR, log attached

Well that was a twofer

What is the current status, are there any problems apparent