MBR:\\.\PHYSICALDRIVE0\Partition4

[BTS]

Hello, I have been battling this virus for a few days and am now at wits end. I originally got a version of the Smart HDD virus. I have run MalwareBytes. That seemed to get rid of most of the virus that were causing me all the pop ups. I am not able to run OTL, aswMBR, or tsskiller when they are saved to the desktop. When I run MalwareBytes again, it says no threats found, but when I run avast, I have MBR:\\.\PHYSICALDRIVE0\Partition4 that I can not delete.  Really appreciate any help. Thank you.

[mikaelrask]

hey and welcome to the forum the malware expert must have those logs to be able to help you.

http://forum.avast.com/index.php?topic=53253.0

I'm not sure but could you try and run in safe mode or do you get the same thing?

[BTS]

Even in safe mode it won't open. When I double click, it asks me if I want to run, but when I say yes nothing happens. I was able to get MBRcheck to run, if that helps. I truly don't know much about this stuff.

[essexboy]

Yes could you try in safe mode first.  If it fails could you rename otl.exe to otl.scr and then try

Again if there is a failure then what is the operating system -XP<VISTA<7 - 32 or 64bit

Can you access a USB drive of at least 4Gb 

[BTS]

Great, got it work with OTL.scr .. attaching log

[essexboy]

Do you have the option "repair my computer" when you are on the safe mode menu ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
  O3 - HKU\S-1-5-21-3893750031-430444558-3952395772-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
  O3 - HKU\S-1-5-21-3893750031-430444558-3952395772-1000\..\Toolbar\WebBrowser: (no name) - {5B291E6C-9A74-4034-971B-A4B007A0B315} - No CLSID value found.
  O3 - HKU\S-1-5-21-3893750031-430444558-3952395772-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
  O3 - HKU\S-1-5-21-3893750031-430444558-3952395772-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
  O4 - HKU\S-1-5-21-3893750031-430444558-3952395772-1000..\Run: [ESm0AIZeKGX958] C:\ProgramData\ESm0AIZeKGX958.exe File not found
  O4 - HKU\S-1-5-21-3893750031-430444558-3952395772-1000..\Run: [xixqnANuWCTnx.exe] C:\ProgramData\xixqnANuWCTnx.exe File not found
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  [2012/08/02 03:06:25 | 000,000,633 | ---- | C] () -- C:\Users\Jordan\Application Data\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk
  @Alternate Data Stream - 1250 bytes -> C:\Users\Jordan\AppData\Local\vCQTT9nzb:lv5NjaknjN7WlHAq4z
  
  :Files
  ipconfig /flushdns /c
  C:\ProgramData\ESm0AIZeKGX958.exe
  C:\ProgramData\xixqnANuWCTnx.exe
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download the following tool

Listparts

Run the tool, click Scan and post the log (Result.txt) it makes.

[BTS]

No, I do not see the repair my computer option.. Should I still go ahead and run OTL fix?

[essexboy]

Yes please, do you have a USB drive of at least 1Gb ?

[BTS]

Ok, here is the log from the Quick Scan.. I did it in safe mode, hopefully that doesn't matter.

Going to do the ListParts scan now.   Yes, I have a USB drive of at least 1GB. Thank you

[BTS]

Here is the Log from ListParts

[essexboy]

Please download the following tool

Listparts64

Please open notepad
(Start =>All Programs => Accessories => Notepad)
and copy the entire contents of the code box below.
(To do this highlight the contents of the box, right click on it and select copy.)
Right-click in the open notepad and select Paste.

Code: [Select]

Disk=0 Partition=3 active
custom
Disk=0 Partition=4 delete
 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

• Save it on to a USB flashdrive as fix.txt
  
• Save ListParts (32bit) or ListParts64 (64bit) onto the same  flash drive.
• Plug the flashdrive into the infected PC.
• Enter System Recovery Options.
  
  
  To enter System Recovery Options from the Advanced Boot Options:
  
  
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    
  • Use the arrow keys to select the Repair your computer menu item.
    
  • Choose your language settings, and then click Next.
    
  • Select the operating system you want to repair (normally option 1), and then click Next.
    
  • Select your user account and click Next.
  .
  To enter System Recovery Options by using Windows installation disc:
  
  
  
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
    
  • Choose your language settings, and then click Next.
    
  • Select the operating system you want to repair, and then click Next.
    
  • Select your user account an click Next.

• On the System Recovery Options menu you will get the following options:
  
  Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
  
  
• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• A Notepad window will open. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and then close Notepad.
• In the command window type  e:\listparts64 (64bit)  and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• Press Fix button.
  
• When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes on the flash drive.

[BTS]

When I click on the repair my computer option, A box that says "Other User" pops up, then asks me for a user name and password.

[BTS]

If I try to restore from the disc, do I use the disc that says "Operating System"?

[essexboy]

No that will not work .. Bear with me and I will prepare the recovery console for you to download
 
back in two minutes

[essexboy]

Download the following three programmes to your desktop :

 
1.  WiNTBootIc
2.  Windows Vista 64bit RC
3.  Listparts64

Please open notepad
(Start =>All Programs => Accessories => Notepad)
and copy the entire contents of the code box below.
(To do this highlight the contents of the box, right click on it and select copy.)
Right-click in the open notepad and select Paste.

Code: [Select]

Disk=0 Partition=3 active
custom
Disk=0 Partition=4 delete
 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

• Save it on to the desktop as fix.txt
  
  
  Extract wintoboot to your desktop
  Insert a USB drive of at least 1GB
  Run Wintoboot
  
  
  
  Drag and drop the Windows Vista ISO to the programme in the space indicated
  Tick the Format box and accept the warnings
  Press Do It
  
  You will see it progressing
  
  
  
  It will let you know when it is done
  Then copy Listparts64 and fix.txt to the same USB
  
  
  
  
  Insert the USB into the sick computer and start the computer.  First ensuring that the system is set to boot from USB
  Note: If you are not sure how to do that follow the instructions Here
  
   
  When you reboot you will  see this. Click repair my computer
  
   
  Select your operating system
  
   
  Select Command prompt
  
   
  At the command prompt type the following  :
  
  notepad and press Enter.
  The notepad opens. Under File menu select Open.
  Select "Computer" and find your flash drive letter and close the notepad.
  In the command window type e:\listparts64.exe and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  The tool will start to run.
  Press Fix button.
  It will make a log (listparts.txt) on the flash drive. Please copy and paste it to your reply.
  

Reboot to normal mode