Got a bad RootKit! Help!

[SkynetCore]

Got it, Asyn! 

When you opened TDSSKiller,the following options were checked?: Services and drivers and Boot sectors?

Yep, both!

* I can't install the "Windows Recovery Console" as the YouKnowWhat stops
   the installation half way.

I'm gonna try the Combofix and Microsoft Windows Recovery Console. Wish me luck! 

[essexboy]

Everyone should install the recovery console on their system as it is a handy bit of kit

[SkynetCore]

Success! I think... 


Combo fix and Windows Recovery Console both installed and did their tricks. Log enclosed.

Thanks for good and thorough instructions, essexboy! 




But the RootkitBuster still thinks I'm infected!  (That log also enclosed.)


What should I do now?

[essexboy]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt

Is it this one ?  If so it is part of your cd rom emulator (daemon tools)

Download MBRCheck.exe to your Desktop. Run the application.
 
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
 
If an infection is found, you will be presented with the following dialog:
 

Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

 
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

[SkynetCore]

Yep, I saw that Windows Recovery Console killed Daemon in it's log and
it's no longer in the system tray.

I tried to uninstall it, but naturally the uninstaller couldn't finish.
Now I've deleted all remaining files under C:\Program\ (Edit: related to daemonTools. )



And here's the MBR Check log:


We've also left my computer skillz about ten miles ago...

[essexboy]

What are your current problems as the MBR confirmed good

[SkynetCore]

It did? I can't read that complicated logs.


Can I disregard the Rootkitbuster logs that still says I'm infected?


I still have to manually set the boot disk by pressing the F8 key
everytime I start the computer, eventhough I've set the correct
boot disks in Bios.

Could this be caused by that darn SATA Vista disc that I connected?
I know it wanted to boot from that one once during a restart, but
I naturally would'nt let it. Vista would love taking over a XP disc...


I also think both my CD-units and the A: seems slow and unreliable.


I´m thinking of checking with my local computer stores if any of them
can do a really archaic cleaning and boot, flashing BIOS and sorting
out the channels of all the connecting wires inside.
When I boot now there's no Master disk and it says my C: is on a slave...


And finaly there's the issue with my destroyed SATA disk. Gonna check with
a friend of mine who's storage boss of one of the major scandinavian ISP's.
He once saved a disk that was salvaged bit by bit 24/7 for 5 weeks!

- - - - -

Sorry for sounding so negative, I just hate this computer right now. I can't
trust it even with antivirus, firewall, updated M$ and common sense...

 




At least I can say all the help You guys provided has been very mush appreciated! 

[SkynetCore]

Here's a new aswMBR log, listing a staggering 85 lines of crap and
taking 38 minutes to complete...


 

[essexboy]

OK could you boot to XP and then locate the following file C:\Boot.ini it will be hidden so you will need to show hidden files
Then right click and select edit
Copy and paste the contents in your next reply

[SkynetCore]

Okidoki! 

Here's the boot.ini:


My boot hard drive is partitioned. One partition each for OS, games, files and so on.

I've got no other OS on there that I know of.

- - - - -


[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - - - -
- - - - -

[essexboy]

OK that is wrong

Could you start the safe mode menu
Select the Vista partition
Select repair my computer
Select startup repair
Reboot and see if that cures it

If not then there is easybcd which can do it for you - there is a guide and download link here http://neosmart.net/wiki/display/EBCD/Windows+XP

[SkynetCore]

The Vista disc is another matter, that I might get round to later.
That harddrive is at my sisters, in another town...


My rig runs XP and I'm not sure it has the "repair my computer" option.


Will check now...

 


- - - - -

EDIT: I'm still unable to boot from a CD and use Repair Windows from that.

Just a note. I understand that's something different from what you're suggesting, essexboy.

[essexboy]

Is this not the dual boot Vista/xp system ?

You can run easybcd from XP

[SkynetCore]

Nope, this is a single XP Pro system.


It has never run Vista or 7 on any of it's discs.


I breifly connected a Vista disk to it to copy files, and that's probably
how I got infected. The Vista disc is in another town, sleeping on a shelf...

[essexboy]

Could you follow the steps here to reset your boot.ini that may rectify the problem

http://support.microsoft.com/kb/289022