Avast WEBforum
Other => Viruses and worms => Topic started by: DreaMzzy on July 18, 2012, 05:27:29 PM
-
Hi,
I have got a virus on my computer which I cant remove. The name is MBR:\\.\PHYSICALDRIVE0\Partition2 and when i try to move to chest or delete in Avast I get the message: Error: The request is not supported (50). I have try to read in this forum to get help with the problems and tried som of the tips but it wont help. For you information I have problems to run Combofix, TDSSkiller and aswMBR who you refer to in solving the problems. Though I managed to get a log from TDSSkiller yesterday (when I didnt already do all the other programs and fixes I tried after that and seems to have caused some problems). I have started to follow the steps in the topic https://forum.avast.com/index.php?topic=53253.0 and i attach the two logs I got from OTL.
I would be really glad if you could help me as soon as you can. I will be stand-by the whole evening today and will be waiting for the answers from you and will reply to you immediately after the aswers.
Thank you in advance!
Best regards, Jonas
-
I tried the step with burning gparted-live-0.10.0-3.iso like in the topic http://forum.avast.com/index.php?topic=96419.0 as i have the same problem with a second partition that is 10 mb.
But I am not albe to burn it from another computer so I burned it from the same computer as I have the virus. The step after I burnt it is "Now boot off of the newly created Gparted CD.". I dont really know what you mean by that, but I tried to reboot the computer with the burned CD in the CD-drive but nothing happened.
I post the screenshot here when I did run diskmgmt.msc.
-
Hopefully there should be a malware removal specialist to help you soon.
-
OK first thing we need to do is ensure that the computer is set to boot from CD. Also with ImgBurn did you select write image file to disc
Note : If you do not know how to set your computer to boot from CD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)
I need you to download:
gparted-live-0.10.0-3.iso (http://sourceforge.net/projects/gparted/files/latest/download?source=files) (115.1 MB)
Create a bootable CD, for Gparted from the ISO image.
You can use ImgBurn (http://download.imgburn.com/SetupImgBurn_2.5.6.0.exe) do this.
Now boot off of the newly created Gparted CD.
You should be here... Press ENTER
(https://dl.dropbox.com/u/73555776/Gpart-Start.GIF)
By default, "do not touch keymap" is highlighted.
(https://dl.dropbox.com/u/73555776/Gpart-keyselect.GIF)
Leave this setting alone and just press ENTER.
(https://dl.dropbox.com/u/73555776/Gpart-continue.GIF)
Choose your language and press ENTER. English is default [33]
At the mode prompt enter 0, press ENTER
You will now be taken to the main GUI screen below
(https://dl.dropbox.com/u/73555776/Gpart-partitions.GIF)
According to your logs, the partition that you want to delete is 10 MB
Right click this partition and select delete .
(https://dl.dropbox.com/u/73555776/GPart-delete.GIF)
The Partition has gone
Now select Apply
Now you should be here:
(https://dl.dropbox.com/u/73555776/Areyousure.GIF)
Select Apply after double checking that the right partition was deleted
Is "boot" next to your OS drive?
If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags
(https://dl.dropbox.com/u/73555776/GPart-flags.GIF)
In the menu that pops up, place a checkmark in boot like the picture below, then close :
(https://dl.dropbox.com/u/73555776/GPart-bootflag.GIF)
Under File select Quit
(https://dl.dropbox.com/u/73555776/Gpart-quit.GIF)
You will see this small Popup
(https://dl.dropbox.com/u/73555776/Gpart-reboot.GIF)
Choose reboot and then press OK.
-
Thanks alot for helping me out but I need further assistance..
I burnt the file in the other thread which I linked to in my other post named gparted-live-0.13.0-1.iso and selected write iso-file. Then i followed your steps to boot from disc which I also managed. Then I rebooted and I reached the first picture you had for the g-parted application. I pressed ENTER (Gparted Live (Default settings)) and then alot of commands in white on a black background followed. Then after some screens full of letters it froze and the last sentences were:
"INIT: Version 2.88 booting"
"[info] makefile-style concurrent boot in runlevel S"
Have I done anything wrong here? How can you help me further?
-
OK give me a bit and I will flash it up on my VM to see if I can replicate it
-
Ok, I will be waiting for your answer. Im totally stuck here.
-
It may be a little while as essexboy will be at work now (almost 10:30am in the UK now).
-
I am unable to replicate it .. The indications are that it is a corrupt burn. Could you reburn the Gparted disc but on a seperate computer please
-
I tried to burn it again on the same computer but this time i chose "disc at once". I tried the new disc but it stopped at the same place again when i tried to use g-parted. I got a warning message some lines up on the freezing picture that says:
Begin: Running /scripts/init-premount...done.
Begin: Mounting root file system... Begin: Running /scripts/live-premount...
[4.486534] aufs: module is from the staging directory, the quality is unknown, you have beend warned.
I dont know if that will help you.
I dont know if i will be able to burn the program from another computer today, but i will do my best. Are you sure that it will help? Should there be a problem to burn it from my computer as you see it?
-
Yes the malware can disrupt the burn to CD causing this problem, so a seperate sytem would help
-
Now I have tried to burn G-parted from another computer, but I still got the same result. The screen freezes at the same point as before when I try to boot from the disc. What could I do now? Do you have any suggestions?
-
Yep I have a new tool
Please download the following tool
Listparts (http://www.bleepingcomputer.com/download/listparts/dl/77/)
Run the tool, click Scan and post the log (Result.txt) it makes.
(https://dl.dropbox.com/u/73555776/listparts.GIF)
Also could you re-run TDSSKiller please
-
Here the result comes from Listparts..
I tried to download and re-run TDSSkiller, but it wont work. The only time it worked was before i had run Combofix, aswMBR and another program. None of these programs works for me and nor TDSSkiller. Dont know if that has anything to do with my Avast. With combofix I read that I should disable my Avast antivirusshield and so I did, but I didnt quit the program totally.
-
Well list parts is not reporting a problem
Do you have the Combofix log, if so could you attach it
Please download MBRCheck.exe (http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe) to your Desktop. Run the application.
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
If an infection is found, you will be presented with the following dialog:
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.
-
Here comes the log from MBRcheck..
I tried to run Combofix again, but it seems like it wont work. I ran it for 10 hours (it says it should take 10 minute) and then it was still running and the picture hadnt froze yet but I guessed something was wrong anyway because it had run for so long so I quit the process.
-
Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
Run MBRCheck.exe once again.
You will be presented with the following dialog:
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Enter Y and press Enter.
The following dialog will be presented:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:
Enter 2 and press Enter
The following dialog will be presented:
Enter the physical disk number to fix (0-99, -1 to cancel):
Enter >>0<< and press Enter
The following dialog will be presented:
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel
Please select the MBR code to write to this drive:
Enter >>1<< and press Enter
The following dialog will be presented:
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue:
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!
And last the following dialog will be presented:
Done! Press ENTER to exit...
Press Enter. A report will be produced on the desktop. Post that report in your next reply.
-
Here comes the new MBR report.
Thanks for all the help! I really appreciate it!
-
OK lets now see if we can get Combofix to run
First Download a fresh copy but rename it to Gotcha and then run
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
-
I downloaded a new Combofix from the link you gave me and tried to run it, but it froze after aprox. 15 minutes. I disabled Avast antivirusprogram before I ran it and didnt have any other program open.
My computer is totally bugged from the virus I have. Nothing works as it should, the computer is slow, all my files are hidden, I get message from Avast that I am attacked by dangerous Malware in every couple of minutes, I cant open almost any of my documents, when I try to click on links from for example a google search I am being forwarded to another adress with strange and inppropriate material and so on..
-
OK did not know you had lost files as that is a slightly different infection
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) and save it on your desktop.
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png)
- Wait for the end of the scan.
- The report has been created on the desktop.
- Click on the Delete button.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png)
- The report has been created on the desktop.
- Next click on the ShortcutsFix
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png)
- The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
-
Here comes the report from RogueKiller..
-
You should have all the shortcuts back now. Did combofix install the recovery console as we will need to use that once I have the right partition numbers
And the MBR infection was a double one
Please download the following tool
Listparts (http://www.bleepingcomputer.com/download/listparts/dl/77/)
Run the tool, click Scan and post the log (Result.txt) it makes.
(https://dl.dropbox.com/u/73555776/listparts.GIF)
-
Here comes the log from Listparts..
Im not sure i know what you meant about the recovery tool, but i might got a recovery tool that is from microsoft as i installed one of the programs. When im starting the computer something gives me two options in which one of them might be recovery something. The picture only lasts for two seconds, but i think i have option to chose from something that says Windows XP and also Recovery.
-
Could you download to your C drive the following programme
- Download Farbar Recovery Scan Tool (http://download.bleepingcomputer.com/farbar/FRST.exe)
Once it is there then reboot the computer and in the two seconds available select recovery console
This will bring up a command prompt
At the prompt type the following :
CD..
Do this until you get the C> command prompt
At the C prompt type
FRST.exe
- The tool will start to run.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FRST2.gif)
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the C drive.
- Reboot to normal mode
Please copy and paste it to your reply.[/list]
-
I rebooted and chose Recovery Tool, and then the picture froze as the message "reset console is being loaded" or something like that.
All the files at C-drive is not hidden anymore, but the program maps in windows start-meny are all empty.
-
OK looks like we will have to work outside of windows with this beasty. We will fix the start menu once we have slain this beast
OK next we will work outside of windows
Please print these instruction out so that you know what you are doing
- Download OTLPENet.exe (http://oldtimer.geekstogo.com/OTLPENet.exe) to your desktop
- Download Farbar Recovery Scan Tool (http://download.bleepingcomputer.com/farbar/FRST.exe) and save it to a flash drive.
- Ensure that you have a blank CD in the drive
- Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
- Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)
- As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)
- Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
- Insert the flash drive with FRST on it
- Locate the flash drive and run FSRT
- The tool will start to run.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FRST2.gif)
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
[/list]
-
Here is the log from Farbar.. I did have a checkmark on "List drivers MD5" as that it was checked when I opened the program. I hope that will be fine, tell me if not.
-
Got it now
Could you copy listparts to the same USB as FRST
Then copy the attached fix.txt to the same USB
Insert the USB
Run Listparts and select fix
Once it has completed it will produce a log
Reboot to normal mode and post the log
-
What do you mean by reboot to normal mode? I ran it (as you said) from windows normal mode using the file on the USB. Or did you mean i should have rebooted and use the program i burnt on CD yesterday and open it from that system? Here comes the log I got now..
-
Sorry yes run it from the OTLPE as the malware is blocking any programme run from normal windows
-
Here comes tha log from Listpart..
-
Could you now go to normal windows please
Then run TDSSKiller
-
Here comes the report from TDSSkiller which i copied to notepad.
-
OK we beat it
How is the computer behaving now ?
-
Great! Its much better now i think. Are there any virus/malware och virus-deseased files on my computer now?
The program maps on my start menu are there, but they are all empty.. Could I remove all the programs Installed and the files/maps created on my C-drive like C:\_OTL, C:\Qoobox, C:\TDSSKiller_Quarantine, C:\FRST, C:\Gotcha, C:\FRST.exe? and maybe some more files..
Should I do anything more to get everything back to normal?
Thank you for all the help, a great THANKS to you!
-
Essexboy will give you advice on the removal of the tools and general advice for the future.
-
OK lets get the menus back where we can, I will remove all the programmes when you are happy
But first lets check the bad partition has gone, if not you can delete it ;D
Go Start > Run
Type in the following and press enter:
diskmgmt.msc
This will open the disc management console
Look at the partitions is there a second one of 10Mb size ?
If so then right click that partition and select delete
MENUS
Restore Accessories Program Files Menu
Please download this tool [here (http://www.winxptutor.com/download/accrestore.zip).
You will need to unzip the tool first.
Once you've unzipped the tool, please double-click on it to run it.
Ensure that the following check boxes are checked (as seen in this image below):
(http://i1224.photobucket.com/albums/ee362/Essexboy3/XP%20restore%20shots/restore-start-menu-accessories-folder.gif)
Once they are, click on the Restore button.
Restore Admin Tools Program Files Menu
Please download this tool here[/color] (http://www.winxptutor.com/download/admintools.zip).
You will need to unzip the tool first.
Once you've unzipped the tool, please double-click on it to run it.
Click on the Restore Administrative Tools Items button.
As seen in this image below:
(http://i1224.photobucket.com/albums/ee362/Essexboy3/XP%20restore%20shots/RestoreAdministrativeTools.gif)
This next one will produce the necessary shortcut links which you can cut and paste into the start menu folder
Download the repair.vbs (https://skydrive.live.com/?cid=32d8666f4048075b&sc=documents&uc=1&id=32D8666F4048075B%21117#) file to your destop
Run the repair.vbs
It will ask for a folder name call it recovery
The tool will let you know when it is finished
On the desktop will be a recovery folder
Open the folder
Cut and Paste the links that you want to C:\documents and settings\your name\start menu
(http://i1224.photobucket.com/albums/ee362/Essexboy3/XP%20restore%20shots/recoverxp1.gif)
(http://i1224.photobucket.com/albums/ee362/Essexboy3/XP%20restore%20shots/recoverxp2.gif)
-
Hi,
I have been away on holiday for the last three weeks but now Im back.
I only have one partition left, which looks okay. The restore accessories program ran without any problem. When I ran restore admin tools I got an error message, and same happened with repair.vbs (see attachment). Can you help me out?
-
Are there anyone that can help me to finish this?
-
Why I didnt tell you that I was going away for three weeks was of security reasons and not of being impolite.
I saw that the language in the picture I attached was in Swedish and here comes the translation for the Rapair.vbs message:
Script: C:\Documents and Settings\Jonas\desktop\Rapair.vbs
Line: 36
Letter: 4
Fault: Could not find the given path
Code: 800A004C
Source: Run error in Microsoft VBScript
-
I will need to talk to the Author on that one
What are the current problems ?
-
I just want to remove all the files and programs that are not necessary anymore and want the missing shortcuts in the start meny to be there again.
I also want to know if I can do a check to know that everything on my computer is all right. It is much slower than i think it was before and its not because I have so many demanding programs and a full drive (only used 90GB of 500GB). Can I check that?
A little thing more is that I got a "black picture" when Im starting the computer asking if I want to start windows XP and one other option, but its just there fo 2 seconds. I this thing is because of the installation of Listpart or some of the other programs.
-
OK lets remove my programmes first. I have just run repair.vbs on my system and it worked perfectly. Could you try it once more please
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[CLEARALLRESTOREPOINTS]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall
(Notice the space between the "x" and "/")
then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif) Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave:
-
I still dont get repair.vbs to work, same message that the picture shows that I attached in an earlier message.
The black screen with white text in the startup with a question to start from windows XP is still there, do you know how to get it away?
The shortcuts in the start meny are still missing. I guess i can try to add them manually from the explorer.
What about the picture you attached from you program map?
-
To stop the boot option screen
Right click the My Computer icon on the desktop
Select properties
Select Advanced Tab
Select Start up and Recovery Settings
Remove the two ticks from time to display....
OK out
The previous screenshot was after I ran the repair VBS and shows what it created..
But you will have to do that manually I am afraid
-
Great! Thanks a lot for all the help!
I'll get back here if the computer doesnt seem okay.