-
Re:
Ken,
I really appreciate your efforts to help me! I'll wait for sure because that problem is way over my skills and knowledge.
Thomas
-
Thomas,
We're dealing with a possible infection of the Master Boot Record and we want to make sure we run the right tool, yours is a bit different variant that is showing up on the scans so just sit tight
-
Run this please
Please download DeFogger to your desktop.
Double click DeFogger to run the tool.
- The application window will appear
- Click the Disable button to disable your CD Emulation drivers
- Click Yes to continue
- A 'Finished!' message will appear
- Click OK
- DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.
Now run aswMBR again to save a log, not the fix
-
DeFogger
I ran first 5 steps of your list. After clicking "Yes" to "Finished" message I'm coming back to pop-up asking me if I want to disable CD emulation drivers. No reboot request.
-
-
Second aswMBR report
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 17:10:29
-----------------------------
17:10:29.671 OS Version: Windows 5.1.2600 Service Pack 3
17:10:29.671 Number of processors: 1 586 0x401
17:10:29.671 ComputerName: BELAIRE UserName: Owner
17:10:45.890 Initialize success
17:10:53.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
17:10:53.093 Disk 0 Vendor: ST3160827AS 3.42 Size: 152627MB BusType: 3
17:10:53.093 Device \Driver\atapi -> DriverStartIo 8a9c2332
17:10:55.109 Disk 0 MBR read successfully
17:10:55.109 Disk 0 MBR scan
17:10:55.109 Disk 0 TDL4@MBR code has been found
17:10:55.109 Disk 0 Windows XP default MBR code found via API
17:10:55.109 Disk 0 MBR hidden
17:10:55.109 Disk 0 MBR [TDL4] **ROOTKIT**
17:10:55.109 Disk 0 trace - called modules:
17:10:55.109 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a9c24e7]<<
17:10:55.109 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa61ab8]
17:10:55.109 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000066[0x8aa3b9e8]
17:10:55.109 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8aa82b00]
17:10:55.625 \Driver\atapi[0x8aa21b60] -> IRP_MJ_CREATE -> 0x8a9c24e7
17:10:55.625 Scan finished successfully
17:11:05.000 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
17:11:05.000 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"
That's it.
-
DeFogger report
After reboot I discovered report from Defogger:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 14:54 on 03/05/2011 (Owner)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
-
Those drivers we disabled where for your CD, we will enable them when were done.
Ok, aswMBR should run ok now
Lets try it again, post the log when done and then go ahead and run DDS and post a new log
Re-Run aswMBR
Click Scan
On completion of the scan
Click the Fix for TDL4
Save the log as before and post in your next reply
-
Fix for TDL4 aswMBR report
Here it is:
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-03 18:05:34
-----------------------------
18:05:34.828 OS Version: Windows 5.1.2600 Service Pack 3
18:05:34.828 Number of processors: 1 586 0x401
18:05:34.828 ComputerName: BELAIRE UserName: Owner
18:05:35.328 Initialize success
18:05:38.625 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
18:05:38.625 Disk 0 Vendor: ST3160827AS 3.42 Size: 152627MB BusType: 3
18:05:38.625 Device \Driver\atapi -> DriverStartIo 8a9c2332
18:05:40.625 Disk 0 MBR read successfully
18:05:40.625 Disk 0 MBR scan
18:05:40.625 Disk 0 TDL4@MBR code has been found
18:05:40.625 Disk 0 Windows XP default MBR code found via API
18:05:40.625 Disk 0 MBR hidden
18:05:40.625 Disk 0 MBR [TDL4] **ROOTKIT**
18:05:40.625 Disk 0 trace - called modules:
18:05:40.625 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a9c24e7]<<
18:05:40.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa61ab8]
18:05:40.625 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000066[0x8aa3b9e8]
18:05:40.625 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8aa82b00]
18:05:41.125 \Driver\atapi[0x8aa21b60] -> IRP_MJ_CREATE -> 0x8a9c24e7
18:05:41.125 Scan finished successfully
18:05:52.796 Disk 0 fixing MBR ...
18:06:02.796 Disk 0 MBR restored successfully
18:06:02.796 Verifying disinfection
18:06:16.812 Infection fixed successfully - please reboot ASAP
18:06:40.593 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
18:06:40.593 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"
-
Reboot and post a new DDS log please
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules