Virus: Please help me to remove MBR:\\.\PHYSICALDRIVE0\Partition2

[DreaMzzy]

Here comes the log from MBRcheck..

I tried to run Combofix again, but it seems like it wont work. I ran it for 10 hours (it says it should take 10 minute) and then it was still running and the picture hadnt froze yet but I guessed something was wrong anyway because it had run for so long so I quit the process.

[essexboy]

    Size  Device Name          MBR Status
  --------------------------------------------
    465 GB  \\.\PhysicalDrive0   MBR Code Faked!
            SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Run MBRCheck.exe once again.
 
You will be presented with the following dialog:
 

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

 
Enter Y and press Enter.
 
The following dialog will be presented:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
 
Enter your choice:

 
Enter 2 and press Enter
 
The following dialog will be presented:
 

Enter the physical disk number to fix (0-99, -1 to cancel):

 
Enter >>0<< and press Enter
 
The following dialog will be presented:

Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel
 
Please select the MBR code to write to this drive:

 
Enter >>1<<  and press Enter
 
The following dialog will be presented:

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue:

 
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!
 
And last the following dialog will be presented:
 

Done! Press ENTER to exit...

 
Press Enter. A report will be produced on the desktop. Post that report in your next reply.

[DreaMzzy]

Here comes the new MBR report.

Thanks for all the help! I really appreciate it!

[essexboy]

OK lets now see if we can get Combofix to run

First Download a fresh copy but rename it to Gotcha and then run

Download ComboFix from one of the following locations:
Link 1
Link 2
 

[DreaMzzy]

I downloaded a new Combofix from the link you gave me and tried to run it, but it froze after aprox. 15 minutes. I disabled Avast antivirusprogram before I ran it and didnt have any other program open.

My computer is totally bugged from the virus I have. Nothing works as it should, the computer is slow, all my files are hidden, I get message from Avast that I am attacked by dangerous Malware in every couple of minutes, I cant open almost any of my documents, when I try to click on links from for example a google search I am being forwarded to another adress with strange and inppropriate material and so on..

[essexboy]

OK did not know you had lost files as that is a slightly different infection

• Download RogueKiller  and save it on your desktop. 
  
• Quit all programs
• Start RogueKiller.exe.
  
• Wait until Prescan has finished ... 
•     Click on Scan

   
 

• Wait for the end of the scan. 
• The report has been created on the desktop. 
• Click on the Delete button.

     

• The report has been created on the desktop.

• Next click on the ShortcutsFix   
  
  
• The report has been created on the desktop.

Please post:    All RKreport.txt text files located on your desktop.

[DreaMzzy]

Here comes the report from RogueKiller..

[essexboy]

You should have all the shortcuts back now.  Did combofix install the recovery console as we will need to use that once I have the right partition numbers 

And the MBR infection was a double one

Please download the following tool

Listparts

Run the tool, click Scan and post the log (Result.txt) it makes.

[DreaMzzy]

Here comes the log from Listparts..

Im not sure i know what you meant about the recovery tool, but i might got a recovery tool that is from microsoft as i installed one of the programs. When im starting the computer something gives me two options in which one of them might be recovery something. The picture only lasts for two seconds, but i think i have option to chose from something that says Windows XP and also Recovery.

[essexboy]

Could you download to your C drive the following programme

• Download Farbar Recovery Scan Tool
  
  
  Once it is there then reboot the computer and in the two seconds available select recovery console
  This will bring up a command prompt
  At the prompt type the following :
  
  CD..
  
  Do this until you get the C> command prompt
  
  At the C prompt type
  
  FRST.exe
  
  • The tool will start to run.
  
  
• When the tool opens click Yes to disclaimer.
• Press Scan button.
  
• It will make a log (FRST.txt) on the C drive.
• Reboot to normal mode

 Please copy and paste it to your reply.[/list]

[DreaMzzy]

I rebooted and chose Recovery Tool, and then the picture froze as the message "reset console is being loaded" or something like that.

All the files at C-drive is not hidden anymore, but the program maps in windows start-meny are all empty.

[essexboy]

OK looks like we will have to work outside of windows with this beasty.  We will fix the start menu once we have slain this beast

OK next we will work outside of windows
Please print these instruction out so that you know what you are doing


• Download OTLPENet.exe to your desktop
  
• Download Farbar Recovery Scan Tool and save it to a flash drive.
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn  to burn the file to CD
  
• Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads 
• Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

• Insert the flash drive with FRST on it
• Locate the flash drive and run FSRT
• The tool will start to run.

• When the tool opens click Yes to disclaimer.
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[/list]

[DreaMzzy]

Here is the log from Farbar.. I did have a checkmark on "List drivers MD5" as that it was checked when I opened the program. I hope that will be fine, tell me if not.

[essexboy]

Got it now

Could you copy listparts to the same USB as FRST
Then copy the attached fix.txt to the same USB
Insert the USB
Run Listparts and select fix

Once it has completed it will produce a log
Reboot to normal mode and post the log

[DreaMzzy]

What do you mean by reboot to normal mode? I ran it (as you said) from windows normal mode using the file on the USB. Or did you mean i should have rebooted and use the program i burnt on CD yesterday and open it from that system? Here comes the log I got now..