Smart hdd infection

[DeanK]

Ok, I know I should have come to you guys first, but I tried to fix this myself and things have gotten worse. I have a Dell D810, wirelessly connected to my network that has gotten the Smart Hdd virus. Changed it to safe mode and tried Malawarebytes with no luck. Then downloaded Roguekiller and ran it and the virus infected safe mode! Now I don't have any acces to any programs or anything in safe mode either.

I need help to get back so I can even try anything. I have other computers to download info onto memory sticks, but right now the d810 can't even recognize it.

This is a pickle George, a real pickle.

[chaslang]

Welcome to Major Geeks!

You left out a very important detail that impacts what we may say next!!!

What version of Windows are you running?

[DeanK]

Opps...Windows XP Professional, service pack 3.

If I can gain acces to personal files, I can check a save the few my kids have saved there to another computer and wipe the hard drive if necessary. The vast majority of personal files are kept on another computer acting as a server of sorts. So I may have the nuclear option.

Thanks!

[chaslang]

Do you have your Windows XP boot disk? It may or may not be able to be used to run a repair.

To do backups ( not really a topic for this forum ), you will have to research using some other special boot CD that allows that ability. Like perhaps the below link mentions:

Use Ubuntu Live CD to Backup Files from Your Dead Windows Computer

Are you saying the PC does not boot up at all, or are you saying it boots up but you do not seem to be able run anything? If the latter, are you 100% sure you cannot run anything?

[DeanK]

I have the disk that came with the computer, which I think is the boot disk.

The computer does boot up: in regular mode the smart hdd virus pops up right away, listing 21 write fault errors, then S.M.A.R.T. Check pops up and starts running. It seems I can pause it from running, and cannot get the Windows Task Manager to come up, or get internet explorer running. The desktop is blank also.
I did find a work around to get to my C: drive, after showing all hidden files, my documents was listed under start, and I can get to it. I can also plug in a flash drive and access it! So in short, I have no network or internet access, but can access C: and a flashdrive. SMART HDD keeps complaining with different failure warnings, but the 'recovery' program is paused.

I would appreciate any suggestions of what I should load on the flashdrive to run on the infected computer. Thanks.




Safemode with networking is worse. No ccess to file or programs period.

[chaslang]

Quote:

Originally Posted by DeanK

I did find a work around to get to my C: drive, after showing all hidden files, my documents was listed under start, and I can get to it.

Okay then we will try to make use of this.

Quote:

Originally Posted by DeanK

I can also plug in a flash drive and access it!

Okay and we will make use of this too.

Use another PC to download the below programs to your flash drive:

• MGtools
• combofix.exe
• Malwarebytes Anti-Malware

Then put the flash drive into the problem PC and copy each of the above files from the flash drive into your My Documents folder that you said you have access too. Once copied to the My Documents folder, try the below:

• Run MGtools.exe by double clicking on it and wait for it to finish running. It will tell you when finished. Attach the log from MGtools which will be C:\MGlogs.zip Full details on running MGtools are here >> Using MGtools You will have to copy the log file back to your flash drive to use your other PC to post here.
• Now try to run ComboFix.exe by double clicking on it. Since you do not have an internet connection you cannot install the recovery console or perform any other updates. Just see if you can get it to run. If it does then attach the C:\combofix.txt log it creates to your next message.
• Now see if you can get the Malwarebytes installer to run. If you can then run a full scan with it and fix any problems it finds. Immediately reboot your PC after selecting to fix problems.

Let me know what you can and cannot do. If things do not work, tell me exactly what problems you have.

[DeanK]

When I started up the computer after leaving it off for a few days, the smart hdd didn't attack like before. The desktop was blank but the Start menu was populated again (files weren't hidden again either). I had an internet connection too.

MGTools ran fine, file attached.

Combofix ran and updated, and reported I had a rootkit.zeroaccess! virus. After a while it froze, so I rebooted it and ran Combofix again. Froze again during the scan. Oh yeah, during the load (both times) it said there was a parasite in dplayx.dll that was trying to attatch itself to combofix.

Ran Malwarebytes and it came up with 9 trojans, which I think snagged it. The third run of combofix froze up again, but there was no report of the virus.


Attachment 178410

Attachment 178411

I have some success here! What do you think?

[chaslang]

Quote:

Originally Posted by DeanK

After a while it froze, so I rebooted it and ran Combofix again. Froze again during the scan.

Please only follow instructions given. You should not run anything extra times. If something does not work when requested then skip it and report back what happened exactly.

You did not attach valid files, please try attach the logs again. See: HOW TO: Attach Items To Your Post

[DeanK]

Sorry, just thought i couldn't hurt.

Here are the files.

[chaslang]

Okay your infection may have hidden some things from you ( like Start Menu, Programs....etc ). Let's fix this.

Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Now run it ( if you are running Vista or Win 7, use right click and select Run As Administrator ). Did that help with your missing items?

Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: SearchPredictObj Class - {389943B0-C3A2-4E69-82CB-8596A84CB3DC} - C:\Program Files\SearchPredict\SearchPredict.dll
O4 - HKLM\..\Run: [LHWmcRqHquM.exe] C:\Documents and Settings\All Users\Application Data\LHWmcRqHquM.exe
O4 - HKLM\..\Run: [XkFcjVGVgWJhiQK.exe] C:\Documents and Settings\All Users\Application Data\XkFcjVGVgWJhiQK.exe
O4 - HKLM\..\Run: [XkFcjVGVgWJhiQK.exe] C:\Documents and Settings\All Users\Application Data\XkFcjVGVgWJhiQK.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.
See the download links under this icon

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Quote:

Files to delete:
C:\Documents and Settings\All Users\Application Data\-2LNpdaaKmMgU2d
C:\Documents and Settings\All Users\Application Data\-2LNpdaaKmMgU2dr
C:\Documents and Settings\All Users\Application Data\2LNpdaaKmMgU2d
C:\Documents and Settings\All Users\Application Data\2LNpdaaKmMgU2d.exe
C:\Documents and Settings\All Users\Application Data\aHelTFbukWq.exe
C:\Documents and Settings\All Users\Application Data\baaaadccbedct.exe
C:\Documents and Settings\D810\Templates\3lhqy33xpt11p
C:\Documents and Settings\D810\Templates\3u16684857kwb502
C:\Documents and Settings\D810\Templates\alxauq4k5hpr8ufb4pbn6k060p3k
C:\Documents and Settings\D810\Local Settings\temp\Ktd48i3d1Ft4DE.exe.tmp
C:\Documents and Settings\D810\Local Settings\temp\NjPFZDfZkv5Mcw.exe.tmp
C:\WINDOWS\Tasks\SBWUpdateTask_Logon_d0724fa9-0014A43B5F2A.job
C:\WINDOWS\Tasks\SBWUpdateTask_Time_d0724fa9-0014A43B5F2A.job

Folders to delete:
C:\Documents and Settings\D810\Local Settings\temp\sv8f8.tmp

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run | LHWmcRqHquM.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run | XkFcjVGVgWJhiQK.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run | XkFcjVGVgWJhiQK.exe

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[DeanK]

Unhiding went fine.

When I run HiJack This, it gets denied access to a hosts file. There's a funny line:

01 - Hosts: ::1 localhost

that I've never seen before when running HiJack This. Should I delete this? I didn't do it pending your instuctions. Also, I only found line 02 and the last 04 line to fix, the other 04 lines were not listed.

I haven't really run it through it's paces, but I'll try it out and post again.

[DeanK]

Ok, page loading is slower right now, running a video off youtube gives choppy video but the audio is smooth. I ran something I know I've run before so I'd see the difference. The commit charge seems higher than usual, but I can't find any unusual processes running.

Obviously the worst is past now, with no pop-up warnings and I can see and run everything. Time will tell if any strange warning pop up again like after the first round of fixes.

Sorry I didn't say this earlier, thank you for your help! As you can see with my extra tinkering I try to fix things myself, and I have been successful in the past just by following your first steps. This virus was a tough one, and it's great to have this computer up and running again.

Any next steps?

[DeanK]

Update:

explorer.exe is hogging mem usage, eating up between 160,000k and 250,000k. It moves up and down, and when it does the CPU usage goes up, 50-100%.

I have no idea what is running there.

[chaslang]

Quote:

Originally Posted by DeanK

When I run HiJack This, it gets denied access to a hosts file. There's a funny line:

01 - Hosts: ::1 localhost

that I've never seen before when running HiJack This. Should I delete this?

No! This is normal.


Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


Now goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller

Now please also download MBRCheck to your desktop.

See the download links under this icon

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

[DeanK]

I removed Windows Messenger.

TDS Skiller did not run as an .exe or .com. I redownloaded it on a thumbdrive and tried to run it that way but no luck either.

MBRcheck file attached.

No other pop-ups or virus attacks to report, but last problem (slowness) is unchanged.

[chaslang]

MBRcheck shows a faked MBR

Code:

PhysicalDrive0 Model Number: HTS541010G9AT00, Rev: MBZOA60A
      Size  Device Name          MBR Status
  --------------------------------------------
     93 GB  \\.\PhysicalDrive0   MBR Code Faked!
            SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

You need to fix this. Earlier in message number 5 you said you think you have your Win XP boot disk. You need to check and make sure you really have a CD that is a bootable Windows XP disk and check to see if you can boot to the Recovery Console with it. If you can get to the command prompt of the Recovery Console, you need to run the below command.

fixmbr
exit

The second command will reboot. Just reboot normally to Windows and rerun MBRcheck and attach a new log.

[DeanK]

Sorry about the delayed response, I had a serious accident.

The boot disk I tought I had is the Operating System reinstallation CD (Windows XP, SP2) that I recieved with the computer. With it in the cd drive, I was able to choose the recovery console, but the computer appears to freeze while loading it. I tried a couple of times with the same results. Is there a generic boot disk I can make with one of my other computers and use on this one?

[chaslang]

Quote:

Originally Posted by DeanK

I had a serious accident.

Hope everything is okay!

Quote:

Originally Posted by DeanK

With it in the cd drive, I was able to choose the recovery console, but the computer appears to freeze while loading it. I tried a couple of times with the same results.

If you had any external/removable devices ( like USB flash drives, USB hard disks, camera's, MP3 player.....etc ) plugged in then unplug all of them an try again. If this does not help, try the below.

Quote:

Originally Posted by DeanK

Is there a generic boot disk I can make with one of my other computers and use on this one?

Fix MBR using ARCDC

[DeanK]

I'll be healing for a long time...I'm very lucky, it could have been worse or even fatal.

Used ACRDC and made a dic off another computer, and ran it on the troubled laptop here. Nothing seems to have changed. Laptop giving fits about attaching files for some reason, so I copied and pasted the latest MBRcheck file I reran after running fixmbr.



MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 119):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 PCIIde.sys
0xBA328000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xBA5AC000 intelide.sys
0xB9F4A000 pcmcia.sys
0xBA0B8000 MountMgr.sys
0xB9F2B000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F13000 atapi.sys
0xBA338000 cercsr6.sys
0xB9EFB000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EDB000 fltmgr.sys
0xB9EC9000 sr.sys
0xB9EB2000 KSecDD.sys
0xB9E9F000 WudfPf.sys
0xB9E12000 Ntfs.sys
0xB9DE5000 NDIS.sys
0xB9DCB000 Mup.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA568000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB9C27000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB9C13000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9BF5000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9BD1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3E8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9BBB000 \SystemRoot\system32\DRIVERS\gtipci21.sys
0xBA570000 \SystemRoot\system32\DRIVERS\SMCLIB.SYS
0xB9B27000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xB9AE4000 \SystemRoot\system32\drivers\STAC97.sys
0xB9AC0000 \SystemRoot\system32\drivers\portcls.sys
0xBA318000 \SystemRoot\system32\drivers\drmk.sys
0xB9A9D000 \SystemRoot\system32\drivers\ks.sys
0xB9A6A000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xB996D000 \SystemRoot\system32\DRIVERS\HSF_DPV.SYS
0xB98C0000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA3F0000 \SystemRoot\System32\Drivers\Modem.SYS
0xBA108000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA400000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA118000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA574000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA128000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA138000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA148000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA408000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA6A0000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA158000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA578000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9881000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA168000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA178000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA410000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9870000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA188000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA418000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA420000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB9840000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5CC000 \SystemRoot\system32\DRIVERS\serscan.sys
0xBA5CE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB97E2000 \SystemRoot\system32\DRIVERS\update.sys
0xBA594000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA1B8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA1F8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5D2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA5D6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6A7000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5D8000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA440000 \SystemRoot\System32\drivers\vga.sys
0xBA5DA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5DC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA448000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA450000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9D72000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB169F000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB1646000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB162D000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB1607000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA218000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA55C000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xB15E5000 \SystemRoot\System32\drivers\afd.sys
0xBA228000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB15BA000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB15A1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA268000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA2B8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB1561000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA618000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB98B8000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA498000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7CB000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF04E000 \SystemRoot\System32\ati2cqag.dll
0xBF080000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2E6000 \SystemRoot\System32\ativvaxx.dll
0xAF375000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAE01A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAE005000 \SystemRoot\system32\drivers\wdmaud.sys
0xAF2E9000 \SystemRoot\system32\drivers\sysaudio.sys
0xADECF000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xADD77000 \SystemRoot\system32\DRIVERS\srv.sys
0xAD8D6000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 36):
0 System Idle Process
4 System
744 C:\WINDOWS\system32\smss.exe
820 csrss.exe
844 C:\WINDOWS\system32\winlogon.exe
888 C:\WINDOWS\system32\services.exe
900 C:\WINDOWS\system32\lsass.exe
1052 C:\WINDOWS\system32\ati2evxx.exe
1064 C:\WINDOWS\system32\svchost.exe
1160 svchost.exe
1200 C:\WINDOWS\system32\svchost.exe
1232 C:\WINDOWS\system32\svchost.exe
1404 svchost.exe
1600 C:\WINDOWS\system32\ati2evxx.exe
1668 svchost.exe
1676 C:\WINDOWS\explorer.exe
184 C:\WINDOWS\system32\spoolsv.exe
232 scardsvr.exe
284 svchost.exe
708 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
732 C:\Program Files\Bonjour\mDNSResponder.exe
1532 C:\WINDOWS\system32\svchost.exe
2060 wmiprvse.exe
2264 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
2296 C:\PROGRA~1\WINDOW~4\Datamngr\DATAMN~1.EXE
2320 C:\Program Files\iTunes\iTunesHelper.exe
2336 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
2372 C:\WINDOWS\system32\ctfmon.exe
2380 C:\WINDOWS\system32\rundll32.exe
2444 C:\Program Files\PIXELA\ImageMixer 3 SE Ver.4\Transfer Utility\CameraMonitor.exe
2560 alg.exe
2920 C:\Program Files\iPod\bin\iPodService.exe
3800 C:\WINDOWS\system32\svchost.exe
2044 C:\WINDOWS\system32\wuauclt.exe
2816 C:\Program Files\Internet Explorer\iexplore.exe
3764 C:\Documents and Settings\D810\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HTS541010G9AT00, Rev: MBZOA60A

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

[chaslang]

Quote:

Originally Posted by DeanK

I'llLaptop giving fits about attaching files for some reason,

Then you may have been trying to reattach the same old log. You need to run a new scan with MBRcheck before ATTACHing the new log. If this is really a new log then you did not get the MBR fixed by booting into the Recovery Console and you will need to do it again and make sure you follow all steps properly. You must BOOT your computer from the CD. You cannot be running Windows and then run those commands.