Attached is the OTL log. Dr Web indicates there were 13 files with errors. No threats detected. No infected, malicious, or suspicious items. No threats neutralized. Scan duration=2hrs & 32 mins. And yes; the problem still persists. Windows 7 MBR unreachable, so system has no option but to Boot from sector that root kit resides in.
/lib/modules/2.6.30-drweb-6.0.0/build Cannot get file attributes with error. No such file or directory. Contains error
/lib/modules/2.6.30-drweb-6.0.0/source Cannot get file attributes with error. No such file or directory. Contains error
/win/D:/hiberfil.sys * File too large, skipped. Contains error*
/win/D:/pagefile.sys * File too large, skipped. Contains error*
/mnt/disk/sda2/ hiberfil.sys * File too large, skipped. Contains error*
/mnt/disk/sda2/ pagefile.sys * File too large, skipped. Contains error*
/mnt/module/.pivot/mn1/ module /.rootfs/opt/drweb/doc/livecd/default * File too large, skipped. Contains error*
/mnt/module/.pivot/mn1/ module /.rootfs/root/config/fpanel/default * File too large, skipped. Contains error*
/mnt/module/_white/dev/core * File too large, skipped. Contains error*
/mnt/module/_white/lib/modules/2.6.30-drweb-6.0.0/build * File too large, skipped. Contains error*
/mnt/module/_white/lib/modules/2.6.30-drweb-6.0.0/source * File too large, skipped. Contains error*
/lib64/modules/2.6.30-drweb-6.0.0/build * File too large, skipped. Contains error*
/lib64/modules/2.6.30-drweb-6.0.0/source * File too large, skipped. Contains error*
Bootmgr appears to be missing so we will see if we can find a spare
[*]Run OTL.
[*]Select All Users
[*]Under the Custom Scan box paste this in netsvcs
%SYSTEMDRIVE%*.exe
/md5start
bootmgr.*
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
THEN
Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Here is the requested log. ???
Am I incorrect; does not OTL produce 2 results logs? Shouldn’t there be another called “Extras”??? If so, it failed to produce it. My apologies if I am incorrect here.
(P.S. I ran the scan 2 times.)
Well, the same old problems have returned in earnest (I was able to reinstall AVAST, but it cannot detect malware if it is hidden on an inaccessible section of the hard drive)(I ran a full system scan & boot scan & AVAST detected nothing.). At this point I am fairly certain that a root kit has created its own version of the MBR, is hidden, protected, and tricking the OS into loading from it, instead of the real MBR. I am contemplating the installation of Ubuntu OS to overwrite the hard drive, and then re-installing windows OS in the hope that this will overwrite the root kit code (In which ever boot sector it is residing.), and be rid of this problem (providing that it has not infected the BIOS as well). Or, somehow isolating the sector that the root kit is hiding in (Provided it can be located.) by creating a new boot partion with a real MBR, and positioning it so that the OS will boot from it instead(If this is feasible?). From what I have read online about the type of root kit/s I suspect to have infected my PCs, (TDL4, also known as TDSS, Alureon (Microsoft), Olmarik (ESET), or TidServ (Symantec), is a multi-component malware family used by botnet owners to steal information and generate revenue through ad clicks. Also see this link: http://www2.gmer.net/mbr/). they are extremely difficult to eradicate. These ideas may be unorthodox, impractical, or nonsensical, and yes I may be getting ahead of the process here, but sometimes it takes a bit of trickery to vanquish those nasty Trojans. What are your thoughts? ???
Kapersky tool result: no threats detected.
FixTDSS tool result: no threats detected.
Bitdefender tool error message: “Failed to intialize”. (Tried to run it in safe mode with networking)
Any suggestions on how to get Bitdefender tool to run? I tried sneaking it in via flash drive, and naming it family pics. Perhaps the root kit identified it and stop it from running.
I was able to run Bitfender root kit removal tool on my 32bit system running vista, as well as my 64bit system; result “no threats detected” on either PC.
I was able to run FixTDSS result: Backdoor Tidserv has not been found on your computer.
I ran Kaspersky on 32bit system running Vista and attached the report. Odd items found.
Recovery console is not one of the options on the “Advanced Boot Options” screen that appears after hitting F8.
The options are:
Safe Mode
Safe Mode with networking
Safe Mode with command prompt (Would this work?)
Enable Boot Logging
Last Known Good Configuration
Debugging Mode
Disable automatic restart on system failure
Disable Driver Signature Enforcement
Start Windows Normally
I thought the only way to access the Recovery Counsel was by Booting up OS installation disk, and selecting “Repair your Computer”. I am not trying to be flippant. I am just a little confused?
I did as instructed and this is the resulting error message: “FIXMBR” is not recognized as an internal or external command, operable program or batch file.
In Vista System Recovery Options I executed the command “Bcdedit” and I copied (By typing exactly what appears on the screen into notepad) and attached the result. Would please look at it?
I wondering if you were to look at yours and compare mine, if one could see an error, corruption, or root kit? Please be so kind as to check this out.
One item after “resumeobject” looks suspicious. I am going to compare my 2 PCs Windows Boot Manager settings. It would be most helpful to have other eyes on this. From this command window one can make major changes to the MBR. If you check the link in my last post, it lists commands.
You might find them intriguing.
Thank you so very much for your patience with me and all you are doing to help me with this!!!
I have tried as instructed via the command prompt but still get the same error message. Are you perhaps running an earlier version of Vista? See below:
The Recovery Console in earlier versions of Windows has been removed in this version of Windows and replaced by several tools located in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If your computer manufacturer has preinstalled recovery options, the menu might also be installed on your hard disk. If your computer does not include the System Recovery Options menu, your computer manufacturer might have customized or replaced the tool. Check the information that came with your computer or go to the manufacturer’s website.
If Windows doesn’t start correctly, you can use these tools to repair startup problems, restore your system files to an earlier point in time, run tests on your computer’s random access memory, and in some editions of Windows Vista, restore your entire computer and system files from backups. For more information, see What are the system recovery options in Windows Vista?
I am currently in Windows Vista Boot Configuration Data Store Editor via the command bcdedit /?. I checked a Microsoft technical support site for more information on commands in this particular environment. I found this command “bcdedit /?” is the “Help” command that lists a multitude of options for MBR configuration. I am going to see what I can find out by using the Commands that control the boot manager.
just try it.