Multiple infections on Win7 x64

Welcome to Major Geeks!

Your logs show that you have DHCP disabled which will prevent the PC from getting an IP address. Are you using a Static IP?

I see the below was just recently installed. Tools like this are not recommended. They typically cause more harm then good and infact can cause problems like you are discribing. Did you run this and use it to fix "supposed" registry problems???
Kingsoft PCDoctor

You main issue is that you have one of the more recent form of a TDL infection that has added an infected partition to your harddisk and has made it the active Windows boot partition. Your log shows the below. The bold red partition is the problem.

Code:

Get Partition Info From WMI in K-bytes                          
==============================================================  
Bootable  Name                   Size          Type                     
FALSE     Disk #0, Partition #0  57544704      Unknown                  
FALSE     Disk #0, Partition #1  9795796992    Installable File System  
FALSE     Disk #0, Partition #2  740300947456  Installable File System  
[B][COLOR=red]TRUE      Disk #0, Partition #3  1949696       Unknown[/COLOR][/B]              

Do you have your Windows 7 Boot DVD so that it can be used to boot to the Recovery Environment Command Prompt?

 

Is this because you cannot get one assigned automatically using DHCP.

Not not installed. Just left overs from it.

Unless this person knows how to burn a bootable CD with G-Parted disk partitioning software to use in fixing his infected partition, you are going to have to work with him hands on. Remotely will not work.

As far as the Windows 7 Boot DVD, we may be able to just boot the system to a preinstall Recovery Environment but first the other CD and the partition needs to be addressed.

 

I will post a boiler plate for how we normally use a separate G-Parted boot CD to fix these infected partitions in another message. This partition will have to be deleted before you even need to boot to the System Recovery Environment of Win 7.

You may be able to use the first method below to get into the built-in System Recovery Environment. The second method is how to use the CD to do the same


Method1: To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next then skip down to Part 2 below.

Method 2: To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

Part2: On the System Recovery Options menu you will get the following options:[

• Startup Repair
• System Restore
• Windows Complete PC Restore
• Windows Memory Diagnostic Tool
• Command Prompt

Here we would select Command Prompt in order to run some a couple fixes as you will see in my next post.

 

Okay read message # 7 first to see explanations then continue here.

Below is a set of instructions for making a G-Parted boot disk and using it to remove the infected partition and to make the proper partition on the PC active. If you already have G-Parted on another boot disk, you can use it. Hopefully the version is still similar and matches the instructions.


Instructions:

• Download: gparted-live-0.11.0-7.iso (114 MB)
• Create a bootable CD for GParted. You can useImgBurn to accomplish this.
• If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

Now boot off of the newly created GParted CD.

http://img717.imageshack.us/img717/6546/gpartedsplash01107.th.png
You should be here...
Press ENTER
http://img819.imageshack.us/img819/7286/gpartedkeymaps.th.png
By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
Choose your language and press ENTER. English is default [33]
http://img140.imageshack.us/img140/7958/gpartedgui.th.png
Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below
http://img32.imageshack.us/img32/1122/gpartedo.th.png
According to your logs, the partition that you want to delete is 1.86 MiB (1.86 MB)
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:
http://img233.imageshack.us/img233/1533/gpartedsteps.th.png
Now you should be here:
http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png
Is boot next to your OS drive? According to your logs, your OS drive is the 689.46 GB sized partition.
http://img194.imageshack.us/img194/7753/gpartedboot.th.png
If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags
In the menu that pops up, place a checkmark in boot like the picture below:
http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png
Now press the Close button to save these changes.
Now double-click the http://img822.imageshack.us/img822/641/gpartedexit.png button.
You should receive a small pop up like this:
http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
Choose reboot and then press OK.



Now reboot from the Windows 7 Recovery Disc or try using Method to from my previous message to get the Recovery Environment and execute the following commands:

• bootrec /fixmbr
• bootrec /fixboot
• exit

Once back in Windows...
Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

 

You're last log looks fine.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!