MBR:SST infection

[dkimble]

I give up, this is clearly way over my head.

Symptoms:
- Fake virus scan, all files hidden (files unhidden, apps found in registry and deleted)
- Periodic (~ 5 min intervals) audio ads (explorer.exe CPU usage goes up and audio stops if I end explorer process)
- constant web search redirects
- had to rename mbam.exe to run it
- PC response generally slow

Logs attached (except aswAR.log, which is almost 25Mb).

Thanks,

Dave

[Pondus]

Logs attached (except aswAR.log, which is almost 25Mb).

can you upload aswMBR log online ...... like mediafire.com or similar

and then give us the download link ?

[essexboy]

Hi there I will need to see the MBR

• Download RogueKiller  and save it on your desktop. 
  
• Quit all programs
• Start RogueKiller.exe.
  
• Wait until Prescan has finished ... 
•     Click on Scan

   
 

• Wait for the end of the scan. 
• The report has been created on the desktop. 
• Click on the Delete button.

     

• The report has been created on the desktop.

• Next click on the ShortcutsFix   
  
  
• The report has been created on the desktop.

Please post:    All RKreport.txt text files located on your desktop.

[dkimble]

aswMBR log is here: http://www.mediafire.com/?5g51f6gy8dpl5d0

going to get RogueKiller now.

Thanks for your help!

[dkimble]

Attached are the RogueKiller logs.

Thanks again.

[essexboy]

Could you reboot your computer to safe mode please
Reboot and press then hold F8
On the subsequent menu is there the option "repair my computer" ?

If not do you have the windows CD ?

If not then do the following

Download the following three programmes to your desktop :

 
1.

WiNTBootIc
2.  Windows 7 64bit RC
3.  Listparts


Extract wintoboot to your desktop
Insert a USB drive of at least 4GB
Run Wintoboot



Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing



It will let you know when it is done
Then copy Listparts  to the same USB




Insert the USB into the sick computer and start the computer.  First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

 
When you reboot you will  see this although yours will say windows 7. Click repair my computer

 
Select your operating system

 
Select Command prompt

 

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• A Notepad window will open. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and then close Notepad.
• In the command window type e:\listparts64 (64bit)  and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• Press Fix button.
  
• When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes on the flash drive.

[dkimble]

Okay, I put the files you mentioned on a USB drive then booted from the USB Storage Device.

The System Recovery Options dialog doesn't have an OS listed.

It does have the option of loading drivers for my hard disk.

Should I do that?  If so, would they be in \windows\system32\drivers?

Thanks,

Dave

[essexboy]

Do you have the system recovery options list .. If so continue to the list parts run

[dkimble]

I must be missing something.

When I select Fix I get a dialog that says this:

===
No fix.txt found.

The fix.txt should be made and saved in the same directory the tool is located.
===

Thanks for you ongoing help!

[essexboy]

Arrgh me big numpty ... Press scan please and post the results.txt here..  That will tell me what partition to set as active and which one to delete

[dkimble]

I think I'm the numpty here...


When I boot from the USB, I get a System Recovery Options dialog asking me to select my keyboard input method (I select US).

Then, I get the System Recovery Options dialog with two radio buttons:
- Use recovery tools that can help fix problems starting Windows.
Select an operating system to repair.
If your operating system isn't listed, click Load Drivers and then install drivers for your hard disks.

- Restore your computer using a system image that you created earlier.

and two buttons [Load Drivers] [Next]


When I select Next (with first radio button selected), I get a System Recovery Options dialog that matches one of your screen shots with these options:

Startup Repair
System Restore
System Image Recovery
WIndows Memory Diagnostic
Command Prompt

and two buttons [Shut Down] and [Next]

I don't know which option corresponds to "scan" to get the results.txt file.

Thanks again,

Dave

[essexboy]

OK on the last page select the Command Prompt option
You will then have an old DOS type window

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• A Notepad window will open. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and then close Notepad.
• In the command window type e:\listparts and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.

• Click Scan
• When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes on the flash drive.

[dkimble]

I've attached result.txt.

Thanks,

Dave

[essexboy]

OK lets get at it

Download the attached fix.txt to the same USB as listparts
Run Listparts again from the recovery console as before
Press Fix
Once done a report will be saved to the USB

Reboot the the computer
If it should fail to start
Then reboot press F8
Select Repair my computer
Select startup repair

Reboot to normal windows

Then run TDSSKiller

[dkimble]

I ran listparts.

When I ran Startup Repair, it said "Startup Repair could not detect a problem".


Then I ran tdsskiller (v 2.7.48, when it told me to load the 2.8.6.0 update nothing happened).

It processed 446 objects with 0 threats!

I have tried several web searches with no redirects and the browser performance seems to be 4 or 5 times faster than before.

Thanks for all of your patient and persistent help.

Please point me to a place where I can donate some $ in return.

Thanks again,

Dave