Infected with MBR:\\.\PHYSICALDRIVE0\Partition4 Need help, thanks!

[jeannette0511]

My son's computer is infected with this nasty virus.  Is it possible since he's uses our home wireless network that my computer is infected?  I need help removing this from his computer - I reinstalled Windows but I'm sure you know that won't fix this nasty one.  I've read forums and I think I have done what is needed.  Here are my log results:

Adware:
# AdwCleaner v2.109 - Logfile created 01/27/2013 at 11:15:41
# Updated 26/01/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Brian - BRIAN-PC
# Boot Mode : Normal
# Running from : C:\Users\Brian\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.1 (en-US)

File : C:\Users\Brian\AppData\Roaming\Mozilla\Firefox\Profiles\802ayjxx.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [824 octets] - [27/01/2013 11:15:41]

########## EOF - C:\AdwCleaner[S1].txt - [883 octets] ##########

[mikaelrask]

hey and welcome to the forum. a malware expert will help you from here when one is online.

[jeffce]

Hi and welcome,

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

• Disable any script blocking protection
• Right-click and Run as Administrator dds to run the tool.
  
• When done, two DDS.txt's will open.
  
• Save both reports to your desktop.
  

---------------------------------------------------
Please attach the contents of the following in your next reply:

DDS.txt

Attach.txt
----------

Please download TDSSKiller

• Double click TDSSKiller.exe
  
• Press Start Scan
  
• If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
  
• Do Not Attempt To Fix Anything Now.  We just need to look over the report and be sure we are removing the correct items. 
• Attach the log in your next reply
• A copy of the log will be saved automatically to the root of the drive (typically C:\)
  

----------

[jeannette0511]

Here you go..thank you for your help!

[jeffce]

Hi,

FRST

Download the 64 bit version for your system of FRST and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[/list]

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

----------

[jeannette0511]

Here it is.

[jeffce]

In the run box type the following

diskmgmt.msc

When disc management opens expand it so that all drives are visible
Take a screenshot and post it here

Are you able to burn a CD on another computer ?

[jeannette0511]

I will do this as soon as I get home. My other computer has crashed at home but I may be able to stop somewhere on my way home to burn something.  Let me know what it is - thanks!

[jeffce]

Please print out these instructions so it will be easier for you to follow along,

We need to delete the malware partition and set the proper boot partition as active

please do the following:


I need you to download:
gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD, for Gparted from the ISO image.

You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

You should be here... Press ENTER


 

By default, "do not touch keymap" is highlighted.


 

Leave this setting alone and just press ENTER.


 

Choose your language and press ENTER. English is default [33]

At the mode prompt enter 0, press ENTER

You will now be taken to the main GUI screen below


 

According to your logs, the partition that you want to delete is 10 MB

Right click this partition and select delete .


 

The Partition has gone

Now select Apply

Now you should be here:


 

Select Apply after double checking that the right partition was deleted

Is "boot" next to your 100Mb system drive?
If "boot" is not next to your 100Mb System drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

 

In the menu that pops up, place a checkmark in boot like the picture below, then close :


 


Under File select Quit

 

You will see this small Popup

 



Choose reboot and then press OK.
----------

When you get this finished up....run a new scan with aswMBR and attach the new log. 

[jeannette0511]

These links don't open up for me?  I think they're bad?  Can you please send new ones?  Thanks.

[jeffce]

Sorry about that.  Thanks for letting me know.

Download Tuxbot to your desktop 
Run Tuxboot 
On the first screen in the dropdown box select Gparted Live  - stable   
 
Select USB Drive from the Type drop-down. 
Select the correct USB device from the Drive drop-down. 
Click OK. This will start the process of creating the bootable USB device. 
 
The instructions along with screenshot for Tuxbot are Here 
 
Now boot off of the newly created Gparted USB.   
   
You should be here... Press ENTER   
 
 
 
By default, "do not touch keymap" is highlighted.   
 
 
 
 Leave this setting alone and just press ENTER. 
 
 
 
Choose your language and press ENTER. English is default [33]   
 
At the mode prompt enter 0,  press ENTER   
 
You will now be taken to the main GUI screen below 
 
 
 
According to your logs, the partition that you want to delete is 10 MB 
 
Right click this partition and select delete .   
 
 
 
The Partition has gone   
 
Now select Apply   
 
Now you should be here:   
 
 
 
Select Apply after double checking that the right partition was deleted 
   
 
Is "boot" next to your OS drive?   
If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags   
 
 
In the menu that pops up, place a checkmark in boot like the picture below, then close :   
 
   
 
 
Under File select Quit 
 
 
You will see this small Popup   
 
 
 
 
Choose reboot and then press OK. 
 
Once back in normal windows then run aswMBR please.

[jeannette0511]

The program won't run for me - see attached.

[jeffce]

Ok....run a new scan for me with FRST and attach that please so that we can get a fresh look. 

[jeannette0511]

Here's the log.

[jeffce]

ListParts

For x64 bit systems please download  Listparts64
Run the tool, click Scan and attach the log (Result.txt) it makes.
------------