System Check - Hopefully sorted, just need a follow-up

Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller

Now please also download MBRCheck to your desktop.

See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

​

 

You're welcome. Just post your results when you can.

 

Try shutting down all other protection software first. Also try safe boot mode.

I'm not seeing any malware in logs thus far. Are you having any malware symptoms?

 

Ah hah! With this in mind, I double checked logs and now the below infected partition comes to light.

Code:

Get Partition Info From WMI in K-bytes                          
==============================================================  
Bootable  Name                   Size          Type                     
FALSE     Disk #0, Partition #0  104857600     Unknown                  
FALSE     Disk #0, Partition #1  15728640000   Installable File System  
FALSE     Disk #0, Partition #2  304237338624  Installable File System  
[B][COLOR=red]TRUE      Disk #0, Partition #3  1040384       Unknown[/COLOR][/B]                  

Correct!!! It cannot fix this and neither can any other scanning tool. Many steps must be used. Attempting to use other procedures and MSE to fix this could result in the problems you are having which is why we don't use it to fix these infections.

Was not a good idea since this cannot fix the problem either because the partitions are changed.

Yes! The infected TDL partition that we can now see.

Potentially yes. I don't really know for sure what they did.

Yes it is the malware. I can still possibly give you a fix that may work ( i will post what the fix would be in my next message ); however the reimage that you already did has changed the initital conditions so some of what I post may not be 100% as far as stating disk/ partition sizes. Also the reimage, has wiped your data from the PC.

 

Below is a set of instructions for making a G-Parted boot disk and using it to remove the infected partition and to make the proper partition on the PC active. As long as the reimage did not windup corrupting the hard disk, the below may work.


Instructions ( obviously you need to use another PC to make the disk ):

• Download: gparted-live-0.11.0-7.iso (114 MB)
• Create a bootable CD for GParted. You can useImgBurn to accomplish this.
• If you need help on how to use ImgBurn, please view this guide by dr.m -- Using ImageBurn to Burn an ISO image

Now boot off of the newly created GParted CD.

http://img717.imageshack.us/img717/6546/gpartedsplash01107.th.png
You should be here...
Press ENTER
http://img819.imageshack.us/img819/7286/gpartedkeymaps.th.png
By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
Choose your language and press ENTER. English is default [33]
http://img140.imageshack.us/img140/7958/gpartedgui.th.png
Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below
http://img32.imageshack.us/img32/1122/gpartedo.th.png
According to your logs, the partition that you want to delete is 1,016.00 KB or about .992 MiB ( .992 MB)
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:
http://img233.imageshack.us/img233/1533/gpartedsteps.th.png
Now you should be here:
http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png
Is boot next to your OS drive? According to your logs, your OS drive is the 283.34 GBsized partition.
http://img194.imageshack.us/img194/7753/gpartedboot.th.png
If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags
In the menu that pops up, place a checkmark in boot like the picture below:
http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png
Now press the Close button to save these changes.
Now double-click the http://img822.imageshack.us/img822/641/gpartedexit.png button.
You should receive a small pop up like this:
http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
Choose reboot and then press OK.


Now you need to boot into the Windows 7 Recovery Environment using one of the below two methods.


Method1: To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next then skip down to Part 2 below.

Method 2: To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

Part2: On the System Recovery Options menu you will get the following options:[

• Startup Repair
• System Restore
• Windows Complete PC Restore
• Windows Memory Diagnostic Tool
• Command Prompt

Here we would select Command Prompt and then at the command prompt run the below commands ( note the space after bootrec )

• bootrec /fixmbr
• bootrec /fixboot
• exit

Once back in Windows...
Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

 

You're welcome.

:-D Totally not needed but too late.

Yes the majority of infections we are getting these days do things like this. There are many forms, but MBR and/or partition infections are running wild.

 

Yes it is much worse than ever. And most commerical protection tools do nothing to block these problems. Nor are the capable of fixing them. Many steps are required which is why this forum and many others like it, are extremely busy.

 

There is no perfect ideal solution, but you can follow the instructions in the below

How to Protect yourself from malware!

One of the most important things these days is the user of the PC. Everyone needs to be more aware of what they are doing, where they are surfing, what they are downloading and installing, what they are clicking on. Read before clicking and even then be very careful.

Even sites that people think are 100% safe ( like google ) are far from safe. They do not police eveything that is there.