More attacks even after Scans

Welcome to Major Geeks!

It looks like you have one or more infection partitions on your hard disk. The one in read is most likely an infection and the one in purple is questionable

Code:

          Disk #0, Partition #0       49,319,424      Unknown                     
TRUE      Disk #0, Partition #1  112,842,616,320  Installable File System     
          [B][COLOR=purple]Disk #0, Partition #2    2,146,798,080    Extended w/Extended Int 13  [/COLOR][/B]
      [COLOR=red][B]    Disk #0, Partition #3    4,984,519,680    Unknown[/B][/COLOR]       

Do you have your Windows XP boot CD?

Your Malwarebytes log shows that you took no action. Did you fix what it found?


Also goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller

Now please also download MBRCheck to your desktop.


See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Note I also suggest that you uninstall Ad-Aware 2007. It is very old and ineffective. It outlived its usefulness many years ago ( even before 2007 ).

 

You need a Windows XP boot disk. A TrendMicro Rescue Disk will not suffice. If you cannot find yours, then do what is in the below link and tell me when you have successfully been able to do this:

Using ARCDC to get the Recovery Console Command Prompt

We don't need that info. It would be more useful to you to know what to avoid in the future.

Once you make the above disk and know you can get into the command prompt of the Recovery Console, we will continue to make another boot cd with partition tools on it. But one thing at a time.

 

• Please download: gparted-live ( approx 121 MB)
• Create a bootable CD for GParted.
• You can use ImgBurn to accomplish this.
  • If you need help on how to use ImgBurn, please view the below guide by dr.m
    • Using ImageBurn to Burn an ISO image

Now boot off of the newly created GParted CD.
http://img534.imageshack.us/img534/5492/gpartedsplash011010.th.png
You should be here...
Press ENTER
http://img819.imageshack.us/img819/7286/gpartedkeymaps.th.png
By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
Choose your language and press ENTER. English is default [33]
http://img140.imageshack.us/img140/7958/gpartedgui.th.png
Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below
http://img32.imageshack.us/img32/1122/gpartedo.th.png
According to your logs, the partition that you want to delete is 4.64 GiB
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:
http://img233.imageshack.us/img233/1533/gpartedsteps.th.png
Now you should be here:
http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png
Is boot next to your OS drive? According to your logs, your OS drive is the 105.09 GiB sized partition.
http://img194.imageshack.us/img194/7753/gpartedboot.th.png
If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:
http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png
Now press the Close button to save these changes.
Now double-click the http://img715.imageshack.us/img715/641/gpartedexit.png button.
You should receive a small pop up like this:
http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
Choose reboot and then press OK.



Boot the ARCDC boot CD again to the Recovery Console command prompt and execute the following commands pressing ENTER after each:

• fixmbr
• fixboot
• exit

The exit command above will reboot your PC. Allow it to boot into normal Windows and then continue with the below.

Now run a new scan with TDSSKiller

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs (See: How to attach):

• the new log from TDSSKiller
• C:\MGlogs.zip

 

To make sure this CD was created properly, do you have another PC you can test it booting it with. You only want to test to see if it will boot.

Also on your original PC when you try booting from it, make sure your PC is set to boot from CD first ( not the hard disk ). Also make sure that you do not have any removable disk ( like USB flash drives or usb external hard disks plugged in ) before trying to boot your PC up from the CD. Power down you PC and then power it back up and make sure that it is actually booting from the CD.

 

It sounds to me like you are not making a bootable disk. Did you burn the ISO file to the disk using the instructions given to make a bootable disk or did you extract the files from the ISO and simply burn the files to the CD?

No you need to remove the infection in your partition table. These kind of infections can steal personal info and can be very dangerous.

 

Okay. The bad partition is gone now. I assume everything is working okay?

Sometimes it does but usually it is only specific locations and most of the time it just hides the folders. Which folder exactly are you referring too?

 

You're welcome.

What malware scan did you run and do you have a log to attach. Trend Micro was probably just triggered by the other scan running.

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

After clicking Fix, exit HJT.


Please delete any versions of TDSSkiller that you have and download the most current version from the below link and follow the process in it to rescan. If you see the below lines this time, then delete them

06:11:48.0167 0348 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
06:11:48.0167 0348 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

Attach the new log from TDSSKiller. Also tell me if you are still having any problems.

 

Too little, too late. We already removed those. They were in quarantine.

Potentially yes! You could run full scans with TDSSKiller and Malwarebytes while they are attached.

Also please make sure that you have rebooted your PC and then run another scan with TDSSkiller and attach the new log. I want to make sure it was really able to fix the TDL infection.

 

You're welcome but you should not have quarantined the unsigned drivers with TDSSKiller. Those are not problems. By quarantining them, you broke all those applications and I'm not sure whether TDSSKiller has really added the ability to unquarantine yet.