MBR:\\.\PHYSICALDRIVE0\partition3 High risk Threat:MBR:SST Help!

[argus]

Step1


> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

• Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  
• In the window that opens on the top right corner, click Settings.
  
• In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  
  
• Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.



Step2


Download TDSSKiller  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

•     Press Start Scan
  
   
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
   
•   If Malicious objects are found, select Cure.
  

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.

[sethdb]

I tried to run aswMRB in standard and safe mode, neither attempt was successful.

[argus]

Do what I wrote above in the post.

[sethdb]

I disabled avast as directed and ran combofix.

It seemed to stop before it finished.  A minute later a window popped up that said "administrator" on the blue bar at the top of the window (much like a dos prompt window)  I wasn't sure if it was combofix doing it or the malware, so I waited then closed the window.  I tried combofix again and it did virtually the same thing, without the administrator dos prompt window, so I searched for the combofix.txt, couldn't find it after running a search on drive C.  I tried to run TDSskiller to see how that would work and it does the same thing that aswMRB does.  So, I enabled Avast again just incase the Malware was trying to take over in the meantime. 

Combo fix also never asked about a Recover Console

Please advise.

[sethdb]

I disabled the avast again and am letting Combofix have the benefit of the doubt.  the admin window is combofix.  I will upload the file it creates when it finishes.  I chickened out early last time.  I will upload shortly.

Thank you.

[argus]

- Delete old and download fresh TDSSKiller.
- Rename TDSSKiller.exe in argus.exe
- Re-run argus.exe
- Press Start Scan


Step2

 - Delete old and download fresh Combofix and try to run as instructed above.
If Combofix again failed to run, then try to run CF from safe mode.

[sethdb]

The ComboFix log is attached.

I am deleting, downloading, renaming, and trying again with tdsskiller next.

[sethdb]

Still no results with the TDSSkiller renamed as argus.

[sethdb]

Still getting occasional Malicious URL blocked messages from avast! including:

Object: http:/
Infection: URL:Mal
Process: C:\Windows\explorer.exe

Similar things have been happening during this whole process while avast! was enabled.

[sethdb]

While I was waiting, I read up on another blog from spgass and saw that he had success running tdsskiller off of a flash drive so I gave it a try.  I ran aswMRB first renamed "argus".  It ran and I attached the log.  I then ran TDSSKiller off the thumb drive renamed as "PONDUS", it took, but wanted to restart to upgrade for additional monitor or some such, so I restarted.  It did not kick back in, so I started the program again, this time renamed as another rather ancient Greek sounding name, and it ran, it found the rootkit I have and it cured it.  It asked to restart, so I restarted...without remembering to get a log first.  On restart, the first occurrence of TDSSkiller jumped back in and started going, so I ran the program a second time, and it didn't find anything.  I attached the second log just for good measure.

Is there more to be done?

Thanks,

[sethdb]

For what it's worth, the internet seems to have picked up speed and the Avast! has not had to block any Malicous URLs.

[argus]

How's your computer behaving today, Is there any problems?

[argus]

Re-run TDSSKiller then click on Change parameters.

• Put a checkmark beside loaded modules.
  
• A reboot will be needed to apply the changes. Do it.

TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.

• Then click on Change parameters in TDSSKiller.
  
• Check all boxes then click OK.
  
  
  
• Click the Start Scan button.
  
  - If a suspicious object is detected, the default action will be Skip, click on Continue.
  - If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  
  
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt".
  
  
• Please attache the contents of that file here.

Re-run aswMBR and attach  log report.

[sethdb]

I re-ran TDSSKiller as directed - the log is attached.
I then ran aswMRB and it had a blue screen of death in the middle, rebooted, and I ran it again and the second time it made it all the way through.  Attached is the log.

Once observation I made is that the Libraries no longer show up when I click on Libraries when I try to find a document, etc.  Also, I don't see the built in webcam show up when I go to my computer, which I believe it used to under devices or some such.  Would this be a result of running one of the diagnostic programs or of the rootkit/virus itself?  Either way, I would like to get it back to normal if possible.

[sethdb]

TDSSKiller log was too large to upload, even in ANSI so here is the second half