Google Links Redirecting

Please put ComboFix directly on your desktop, not here:
Running from: c:\downloads\cleaning\ComboFix.exe

* Please download TDSSKiller to your Desktop
* Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
* Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

* Follow the instructions to type in "delete" when it asks you what to do when if finds something.
* When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

 

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

No matter what happens with the above, attach the above logs and then immediately continue with the below in normal boot mode!

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::
File::
C:\WINDOWS\Temp\$$$dq3e
C:\WINDOWS\Temp\$67we.$      
C:\WINDOWS\Temp\mmw4

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* HelpAssistant log
* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Your HelpAssistant user was not removed. Please do the last fix again. Make sure all protection software is disabled.

Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

No matter what happens with the above, attach the above logs and then immediately continue with the below in normal boot mode!

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::
File::
C:\WINDOWS\Temp\$$$dq3e
C:\WINDOWS\Temp\$67we.$ 
C:\WINDOWS\Temp\hlktmp
Folder::
c:\documents and settings\HelpAssistant\
Driver::
AVG WatchDog
AVG Firewall
AVG9IDSAgent

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

 

You need to attach the new HelpAsst.log for TimW, but it appears that the fix failed again and a different method will be necessary. Do you have your Windows boot CD?

Is this a Windows based PC or are you a Windows emulation enviroment under another OS. I see the below in your logs

Code:

System Manufacturer Sun Microsystems 
System Model Sun Ultra 20 Workstation

You may not be able to fix this if this is a non-standard environment with a non-standard boot record.

 

We need to see the below log before creating the next fix.

• Download bootkit_remover.rar
• Click the underlined DOWNLOAD text to download the file and save it to your Desktop.
• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
• After extracing remover.exe to your Desktop, double click the remover.exe file to run the program.
• Attach or post inline here, the output from remover.exe
• Command prompt window text can be copied to the clip board by right click on the top bar of the window and using the Edit commands to Mark, Copy, and Paste.

 

Do you have all important data on the C and E drives backed up? If so, where? The Z drive which is a removable device.

While much of the time, repairing the MBR can be safe, there is always the chance of a problem occurring especially when malware is at play. You don't have too much of a choice though since the only way to fix you infection is to attempt repair of the MBRs or you will have to manually delete all partitions, repartition, format, and reinstall from scratch which I would assume you want to avoid this second option.

 

Both the C & E ( Not D. According to your logs, D is a CD drive) are infected according to your log and both will need to be either cleaned or repartitioned to even have a chance to remove the MBR infection.

The Z drive may or may not be infected. The unknown boot code could just indicate that it is really an unknown boot partition type, but could even be a sign of infection. I'm leaning towards it just being an unknown partition type.

I recommend that you backup are important data first to the Z drive. Then we could attempt to fix your infected boot records. If the fix works, you will not have to repartition and reinstall. But at least if you backup, it is safer to try the fix afterwards.