Posessed Laptop

Welcome to Major Geeks!

Rerun Hitman Pro and allow it to fix the below infection

Then immediately reboot your PC.


Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

After clicking Fix, exit HJT.

Now run a new scan with RogueKiller and Hitman Pro and save logs as in original instructions and attach the new log.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the new Hitman log
• the new RogueKiller log
• C:\MGlogs.zip

How are things working?

 

Well I was hoping that the easy fix with Hitman would work. You had an infected partition added to your hard disk that showed in your logs. See below from two different logs, highlighted in red

Code:

Get Partition Info From WMI in K-bytes                          
==============================================================  
Bootable  Name                   Size         Type                     
FALSE     Disk #0, Partition #0  8381528064   Unknown                  
FALSE     Disk #0, Partition #1  75993361920  MS-DOS V4 Huge           
FALSE     Disk #0, Partition #2  75664350720  Installable File System  
[B][COLOR=red]TRUE      Disk #0, Partition #3  2604544      Unknown[/COLOR][/B]  
 
 
Partition Disk #0, Partition #0 
Partition Size 7.81 GB (8,381,528,064 bytes) 
Partition Starting Offset 32,256 bytes 
Partition Disk #0, Partition #1 
Partition Size 70.77 GB (75,993,361,920 bytes) 
Partition Starting Offset 8,381,560,320 bytes 
Partition Disk #0, Partition #2 
Partition Size 70.47 GB (75,664,350,720 bytes) 
Partition Starting Offset 84,374,922,240 bytes 
Partition Disk #0, Partition #3 
[COLOR=red][B]Partition Size 2.48 MB (2,604,544 bytes) [/B][/COLOR]
[B][COLOR=red]Partition Starting Offset 160,039,272,960 bytes[/COLOR][/B]                 

We will need to make a G-Parted Boot CD to remove this partition which was made active and make your real Windows partition active instead.

Preferably from a clean computer, I need you to download: gparted-live
Create a bootable CD for GParted. You can useImgBurn to accomplish this.
If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image
Now boot off of the newly created GParted CD.
http://img717.imageshack.us/img717/6546/gpartedsplash01107.th.png
You should be here...
Press ENTER
http://img819.imageshack.us/img819/7286/gpartedkeymaps.th.png
By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
Choose your language and press ENTER. English is default [33]

Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below
http://img32.imageshack.us/img32/1122/gpartedo.th.png
According to your logs, the partition that you want to delete is 2.48 MiB (2.48 MB)
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:
http://img233.imageshack.us/img233/1533/gpartedsteps.th.png
Now you should be here:
http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png
Is boot next to your OS drive? According to your logs, your OS drive is the 70.77 GB sized partition.
http://img194.imageshack.us/img194/7753/gpartedboot.th.png
If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags
In the menu that pops up, place a checkmark in boot like the picture below:
http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png
Now press the Close button to save these changes.
Now double-click the http://img822.imageshack.us/img822/641/gpartedexit.png button.
You should receive a small pop up like this:
http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
Choose reboot and then press OK.



Now reboot from the Windows 7 Recovery Disc and execute the following commands:

• bootrec /fixmbr
• bootrec /fixboot
• exit

If you do not have a Windows 7 Recovery Disk then use the below to get to a command prompt and then enter those commands.



Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• Then run the below commands
  • bootrec /fixmbr
  • bootrec /fixboot
  • exit

The last one will reboot your PC. After reboot, download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay then just change it so that the boot flag is not set and make sure your real Windows partition does have the boot flag.

 

You're welcome.

Okay and is the small partition not set as bootable? If so, just continue.

 

Are you sure the boot flag was set on the 70.77 GB partition and not the 70.47 GB which is not the Windows boot partition?

Can you still boot in safe mode?

 

Yes please check and let me know.

Rerun each of the below to get new logs in safe boot mode:

• TDSSKiller
• Hitman Pro
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the new TDSSKiller log
• the new THitman Pro log
• C:\MGlogs.zip

 

Hmmm! Not sure what is going on here. It is confusing that you can boot in safe mode but not normal boot mode. What exactly happens when you attempt to boot in normal boot mode? Is it still the BSOD? How far do you get before the BSOD and does it give any error message?

 

Okay! Sorry we could not get it all fixed up for you.