Trying to clean slave drive

Not seeing any malware in those logs. What problems are you experiencing if any at the moment when using the computer?

 

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run

 

Run Combofix again and attach the log.

 

Exactly which drive is hooked up when CF finds rootkit activity?

 

Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some data on it
• Right click on the screen and select > Select All
• Press Control+C
• Open a notepad and press Control+V
• now please ATTACH that report to this thread

 

What operating system is on physical drive one as indicated in the log?

 

Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.

Also note if you have a Dell PC which uses a non-standard MBR ( or another manufacturer's who does similar to Dell) , fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not continue but you risk serious problems leaving this infection in place and thus your only other option would be to try using the Dell Restore Utility to return a factory ship state which will remove everything you additional you have put onto the PC.



Now if you wish to continue and fix the malware - please do the following:

• Run MBRCheck.exe
• Wait until you see the following lines:
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.
    Enter your choice:

• Please push the 'Y' key and then press Enter
• When the program asks you to Enter your choice: enter 2 to Rstore the MBR and press the Enter key
• Now the program will ask you to "Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
• The program will show Available MBR codes as below

• You need to select your version of Windows frrom the list. For example, enter 0 or 1 for XP or enter 3 for Vista.....etc. and then press Enter.
• The program will prompt for confirmation. Type 'YES' and hit Enter.
• Left click on the title bar (where program name and path is written). From menu chose Edit -> Select All
• You will see all the text in the window get highlighted.
• Hit the Enter key on your keyboard to copy all of the text into the clipboard.
• Paste that text into Notepad, save it to your desktop as MBRfix.txt
• Restart your PC.
• Attach the MBRfix.txt file to your next message..

Also tell me how things are working.

 

Please be patient. I am going to ask for further advices.

 

Thanks. I have been asking Chaslang's advice regarding your thread. He is a very busy man, but rest assured will get back to you.

 

Yes, that's good that you have logs and I definately will check them. But as you say, best to take things step by step.

 

This will not help you get the drive you slaved fully scanned or cleaned. Most of what you are running with the scans is checking the harddisk and operating system that you are booting ( including the Windows registry which will not be for the possibly infected slave drive ). The slaving option is just something that could be usefull as a getting started method when nothing else can be done on a problem drive/OS. But ultimately, you still need to boot from and scan the infected drive with its own OS.

Since the MBRcheck does indicate that the slave drive ( Physcial Drive 1 ) had an unknown MBR. You ran a fix but we need to see another log after a reboot to see if it really was fixed. Frequently MBRcheck is not fixing MBRs, so you may need to repair it using a Windows Boot Disk matching the OS of the slave drive.

Note that even if you do get the MBR fixed on the slave drive, how do you intend to see if there is any change to how it works until you boot from it in the original PC.

 

Also note that the system you ran scans on and posted logs for in the 1st message is an illegal copy of Windows which is why MBAM delete the below:

c:\WINDOWS\system32\antiwpa.dl

Please read this >>> Warning about Porn, Keygens, Cracks, and other Illegal Software

We will not work on PCs having illegal copies of Windows or other illegal software.

 

No because you did not boot from it. You booted from drive C which is not the drive you want to clean. As I stated before, if you want to properly and fully clean a drive, that is the one you need to boot from if it contains a Windows OS. Only the MBAM & SAS log scanned this drive but even those are not a full scan that you would get if you booted from the drive.

 

Well it is not a waste of time if you have learned something. The main point is that we/you cannot say the drive is clean by scanning this way. We just use the slave drive method as a "getting started method" when the drive is not bootable and you have limited options. In the end, you still need to boot the drive and run full cleaning procedures on it. ( See the Warning at the end of this message ).

Something else you can do on a slaved type setup is to run online scans and pick the slave drive. While this is still not going to be the same as booting and running scans, it gives you some additional feedback. See the online scans in the below.

Alternative Scans




WARNING:

I do have to give you this warning though about cleaning a drive when it is a slave or when it is not a slave but you just use a special boot CD to boot the infected system from CD.

When you clean this way, the cleaning program has no knowledge of the Windows OS on the infected drive. Thus the scanner could find infected files that are necessary parts of Windows and it could delete them since they are not protected by Windows because Windows is not running on that drive. Therefore after cleaning the drive this way, you do have the risk that it may no longer boot.

When you are stuck in the "I cannot get started mode" because nothing else works, you don't have much of an alternative though. So you really need to be sure that nothing really works before taking this other approach. Many people say nothing works, but have not really tried all possibilities.