Click.GiftLoad

[TomLL]

Ken,
I really appreciate your efforts to help me! I'll wait for sure because that problem is way over my skills and knowledge.

Thomas

[ken545]

Thomas,

We're dealing with a possible infection of the Master Boot Record and we want to make sure we run the right tool, yours is a bit different variant that is showing up on the scans so just sit tight

[ken545]

Run this please

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.




Now run aswMBR again to save a log, not the fix

[TomLL]

I ran first 5 steps of your list. After clicking "Yes" to "Finished" message I'm coming back to pop-up asking me if I want to disable CD emulation drivers. No reboot request.

[ken545]

Yes, disable them, we will re enable them when were done

Drag your copy of aswMBR to the trash , reboot your computer and then download it again and post the log

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply

[TomLL]

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 17:10:29
-----------------------------
17:10:29.671 OS Version: Windows 5.1.2600 Service Pack 3
17:10:29.671 Number of processors: 1 586 0x401
17:10:29.671 ComputerName: BELAIRE UserName: Owner
17:10:45.890 Initialize success
17:10:53.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
17:10:53.093 Disk 0 Vendor: ST3160827AS 3.42 Size: 152627MB BusType: 3
17:10:53.093 Device \Driver\atapi -> DriverStartIo 8a9c2332
17:10:55.109 Disk 0 MBR read successfully
17:10:55.109 Disk 0 MBR scan
17:10:55.109 Disk 0 TDL4@MBR code has been found
17:10:55.109 Disk 0 Windows XP default MBR code found via API
17:10:55.109 Disk 0 MBR hidden
17:10:55.109 Disk 0 MBR [TDL4] **ROOTKIT**
17:10:55.109 Disk 0 trace - called modules:
17:10:55.109 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a9c24e7]<<
17:10:55.109 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa61ab8]
17:10:55.109 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000066[0x8aa3b9e8]
17:10:55.109 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8aa82b00]
17:10:55.625 \Driver\atapi[0x8aa21b60] -> IRP_MJ_CREATE -> 0x8a9c24e7
17:10:55.625 Scan finished successfully
17:11:05.000 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
17:11:05.000 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


That's it.

[TomLL]

After reboot I discovered report from Defogger:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 14:54 on 03/05/2011 (Owner)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

[ken545]

Those drivers we disabled where for your CD, we will enable them when were done.

Ok, aswMBR should run ok now

Lets try it again, post the log when done and then go ahead and run DDS and post a new log


Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix for TDL4





Save the log as before and post in your next reply

[TomLL]

Here it is:

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 18:05:34
-----------------------------
18:05:34.828 OS Version: Windows 5.1.2600 Service Pack 3
18:05:34.828 Number of processors: 1 586 0x401
18:05:34.828 ComputerName: BELAIRE UserName: Owner
18:05:35.328 Initialize success
18:05:38.625 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
18:05:38.625 Disk 0 Vendor: ST3160827AS 3.42 Size: 152627MB BusType: 3
18:05:38.625 Device \Driver\atapi -> DriverStartIo 8a9c2332
18:05:40.625 Disk 0 MBR read successfully
18:05:40.625 Disk 0 MBR scan
18:05:40.625 Disk 0 TDL4@MBR code has been found
18:05:40.625 Disk 0 Windows XP default MBR code found via API
18:05:40.625 Disk 0 MBR hidden
18:05:40.625 Disk 0 MBR [TDL4] **ROOTKIT**
18:05:40.625 Disk 0 trace - called modules:
18:05:40.625 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a9c24e7]<<
18:05:40.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa61ab8]
18:05:40.625 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000066[0x8aa3b9e8]
18:05:40.625 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8aa82b00]
18:05:41.125 \Driver\atapi[0x8aa21b60] -> IRP_MJ_CREATE -> 0x8a9c24e7
18:05:41.125 Scan finished successfully
18:05:52.796 Disk 0 fixing MBR ...
18:06:02.796 Disk 0 MBR restored successfully
18:06:02.796 Verifying disinfection
18:06:16.812 Infection fixed successfully - please reboot ASAP
18:06:40.593 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
18:06:40.593 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

[ken545]

Reboot and post a new DDS log please