Help with MBR partion4

[vxl1313]

I think i originally posted this in the wrong forumn.  Sorry, I'm new so i reposted below.

One of our laptops got a virus on Friday and I think I made it worse.  We caught a redirect virus that used a ton of resources and slowed browsing dramatically.  I tried windows security essentials, malwarebytes, a free web based virus scan that bleeping computers recommends, and one other program that I bought and nothing could find the virus.  I ran rkill? As instructed by bleeping computer and that didn’t help.  I couldn’t run tdsskiller.  Program wouldn’t run at all.  The Virus  wouldn’t let me go to avast’s website, in fact it brought up a fake site to download a virus scan, so I thought your program would probably work.  I copied a download of avast that I renamed via jump drive and ran a complete scan.  Avast kept blocking things from svchost and explorer so things seemed promising.  About a third of the way through the scan it found a virus mbr//something?/partition4.  Avast recommended deleting the virus immediately and then running a bootscan immediately so it could check for other problems.  I said ok and it shut down the computer but now it will not restart.  I got a message saying windows
When I tried to have windows repair itself it says it cannot automatically.  When clicking show details it says the following:
Problem Event Name:   StartupRepairOffline
Problem Signature01:   6.1.7600.16385
Problem Signature02:   6.1.7600.16385
Problem Signature03:   unknown
Problem Signature04:   21200228
Problem Signature05:   AutoFailover
Problem Signature06:   3
Problem Signature07:   NoRootCause
OS Version:      6.1.7601.2.1.0.256.1
Locale ID:      1033
I know little about computers, did this virus and cure just kill my machine?  Please help.

[mikaelrask]

hey and welcome to the forum.

please follow this guide and attach your logs.

a malware expert will guide from there when one is online later today.

http://forum.avast.com/index.php?topic=53253.0

good luck

[vxl1313]

I cannot follow the guide to post the logs because i cannot get windows to work at this time.  Hopefully we can get that issue resolved first and then i will be happy to follow that guide.

[mikaelrask]

hey i will drop a note to one of the malware expert one you thread.

 

[mikaelrask]

update: i have send a note the a expert called essexbox here on the forum he will help you out when he comes online.

so be patience.

[essexboy]

Hi is this a 32 or 64 bit windows 7 ?

You will need a USB drive of at least 1Gb and another computer to create bootable USB drive

This may be a bad partition MBR virus

[vxl1313]

I think 64 bit. Windows 7 home premium.  I printed out a summary with belarc and it says windows 7 home premium (x64) I do have another laptop and a 4gb jump drive.  Thanks for your help with this.

[essexboy]

Download the following three programmes to your desktop :

 
1.  Rufus

For 64bit systems
2.  Windows 7 64bit RC
3.  Farbar Recovery Scan Tool x64


Insert the USB stick Then run Rufus
 
Select the Windows 7 ISO file on the desktop via the ISO icon.

Press Start Burn

Once finished
Then copy FRST to the same USB 
 
 


Insert the USB into the sick computer and start the computer.  First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

 
When you reboot you will  see this although yours will say windows 7.
 Click repair my computer

 
Select your operating system

 
Select Command prompt

 
At the command prompt type the following  :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please attach it  to your reply.

[vxl1313]

ok scan is finished, log is attached stragnge thing though, the drive kept changing, first c, the g, then y

[essexboy]

OK we will need to do this in two parts .. 

First :

Download the attached fixlist.txt to the same USB as FRST64
Run FRST64 as previously
Press FIX
This will remove the Zero Access infection

Once that has completed then download to the same USB

1.  ListParts64

Return to the command prompt type the following  :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\Listparts64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.

Press Scan button.
It will make a log (results.txt) on the flash drive. Please copy and paste it to your reply.

This will enable me to reset the correct partition to active

[vxl1313]

Done, here is the results.  everything seemed to work correctly.

[essexboy]

Are you in windows normally now ?

[vxl1313]

i didnt try to restar. should i?

[essexboy]

Yes please as the bad partition no longer appears active, \If windows does run normally TDSSKiller should run

[vxl1313]

tried restart, windows said couldnt load properl, i tried start windows normally, just wen to restart, second time i chose the startup repair that is sunning now.