[jazzdazz]

Good Morning,

I am using Avast software and it showed my computer has a rootkit virus (MBR Alureon (R-K). I have tried many programs to remove with no luck. I downloaded OTL.scr, OTL.com, Antispyware, Malaware. OTL does not run a complete scan to produce a log; Antispyware and Malaware both indicate no virus found. Avast boot scan says it removed the virus, but when I reboot, the window pops up that the virus is still active.

Also, I get a popup window from Avast that says: Avastsvc.exe application error - The instruction at 0x64802e46 referenced memory at "ox00000010. The memory could not be read. One other thing - when I browse my browser redirects. Firefox is my browser, but I use Google.

Is my computer doomed - cause it sure sounds like it.

[Nedklaw]

Hello, jazzdazz!

I'm Nedklaw and I'll be glad to help you with your malware issues.

I am currently still in training and my posts have to be approved by an expert so please expect a delay between my posts.

These instructions are specifically designed for jazzdazz only. No one else should follow these instructions because it can cause serious damage to your computer.

Before we start to clean your computer of malware, please read through the following points to help me and you, and prevent damage to your computer:

• Please completely read through all of the instructions given to you before attempting to follow them. Reading too lightly will cause you to miss important steps, which could have DESTRUCTIVE effects. If you can't perform a certain step or you are unsure about what to do, let me know!
  
• Don't be afraid to ask questions! If you are unsure about anything, ask me! No question is considered stupid here!
  
• Be patient with me, logs can take some time to research and my life can mean that I'm busy.
  
• Please copy and paste all logs into your reply. Do not attach logs to a post unless I tell you to or if they don't fit in the post.
  
• If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  
• NEVER fix anything in OTL or other programs on your own! This can be very dangerous and cause harm to your system.
  
• Refrain from running any other tools apart from the ones I tell you to.

Note: You should save or print out my instructions for easy reference, as part of the fix may be in Safe Mode and you won't be able to access GeeksToGo.


Step 1

Download aswMBR.exe (4.5MB) to your desktop.

Double click aswMBR.exe to run it.

Click the "Scan" button to start the scan.
If Avast asks to download definitions, please say Yes.




On completion of the scan click save log, save it to your desktop and post it in your next reply.




Things I want to see in your next reply

• aswMBR.txt

[jazzdazz]

Hi NedkLaw,

Thank you for being of assistance to me. I followed your instructions. I downloaded the aswMBR.exe; however, it will not open on my computer. When I double click, a popup window from Avast says: Not able to determine if Malware - program terminated. The same thing happened when I downloaded and tried to run a scan with OTL.exe; OTL.scr, etc.

Jazzdazz

[Nedklaw]

Hi.


Step 1

• Download RogueKiller and save it on your desktop.
  
• Quit all programs.
  
• Start RogueKiller.exe.
  
• Note: If RogueKiller has been blocked, do not hesitate to try several times. If it really won't run, rename it to winlogon.exe (or winlogon.com) and try again.
  
• Wait until the Prescan has finished.
  
• Click on Scan.
  
  
  
  
• Wait for the end of the scan.
  
• The report has been created on the desktop.
  
  
• Click on the Delete button.
  
• The report has been created on the desktop.

Step 2

Try running aswMBR.exe again (using my previous instructions) after running RogueKiller. If it still doesn't run, rename it to Nedklaw.exe and try again.


Step 3

If aswMBR didn't run then I will need a screenshot of Disk Management.

For Windows XP

Do the following:

• Start -> Run.
  
• Type diskmgmt.msc.
  
• Click OK.

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.


For Windows Vista/7

• Click on the Start button and then choose Control Panel.
  
• Click on the System and Security link.
  Note: If you're viewing the Large icons or Small icons view of Control Panel, you won't see this link so just click on the Administrative Tools icon and skip to Step 4.
  
  
• In the System and Security window, click on the Administrative Tools heading located near the bottom of the window.
  
• In the Administrative Tools window, double-click on the Computer Management icon.
  
• When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.

After a brief loading period, Disk Management should now appear on the right side of the Computer Management window.

Note: If you don't see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.


Things I want to see in your next reply

• All RKreport.txt files
  
• aswMBR.txt
  
• A screenshot of the Disk Management Window (if aswMBR failed to run)

[jazzdazz]

Hi NedkLaw,

Did all that you asked. Ended up having to run diskmgmt, but can't figure out how to take a screen shot. Looked in help and its directions given do not work - ALT + Print Screen.

[Nedklaw]

Hi.
I'll give you the print screen instructions step by step in case you are missing something.

• You can either press Alt+Print Screen or just the Print Screen button.
  
• You then have to paste the image into Paint and save it.
  
• You can then attach it in your next reply.

[jazzdazz]

Hi, here is RKreport.txt

RogueKiller V7.4.3 [05/04/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: owner [Admin rights]
Mode: Scan -- Date: 05/04/2012 16:50:26

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 13 ¤¤¤
[BLACKLIST DLL] HKUS\S-1-5-19[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-19_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-20[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-20_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-21-1229272821-823518204-1177238915-1003_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
94.63.147.16 www.google.com
94.63.147.17 www.bing.com


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AACS-00D6B1 +++++
--- User ---
[MBR] f675b690aea3e8a9396c12ac68fa5243
[BSP] b7cb42b22dc882131a6a6f85b63be1e5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 610477 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] edf33485b046a262948988e834209fc8
[BSP] b7cb42b22dc882131a6a6f85b63be1e5 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 610477 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1250258625 | Size: 2 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt



RogueKiller V7.4.3 [05/04/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: owner [Admin rights]
Mode: Remove -- Date: 05/04/2012 16:56:45

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 13 ¤¤¤
[BLACKLIST DLL] HKUS\S-1-5-19[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-19_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-20[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-20_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-21-1229272821-823518204-1177238915-1003_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
94.63.147.16 www.google.com
94.63.147.17 www.bing.com


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AACS-00D6B1 +++++
--- User ---
[MBR] f675b690aea3e8a9396c12ac68fa5243
[BSP] b7cb42b22dc882131a6a6f85b63be1e5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 610477 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] edf33485b046a262948988e834209fc8
[BSP] b7cb42b22dc882131a6a6f85b63be1e5 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 610477 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1250258625 | Size: 2 Mo

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



RogueKiller V7.4.3 [05/04/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: owner [Admin rights]
Mode: Remove -- Date: 05/04/2012 16:56:45

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 13 ¤¤¤
[BLACKLIST DLL] HKUS\S-1-5-19[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-19_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-20[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-20_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-21-1229272821-823518204-1177238915-1003_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
94.63.147.16 www.google.com
94.63.147.17 www.bing.com


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AACS-00D6B1 +++++
--- User ---
[MBR] f675b690aea3e8a9396c12ac68fa5243
[BSP] b7cb42b22dc882131a6a6f85b63be1e5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 610477 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] edf33485b046a262948988e834209fc8
[BSP] b7cb42b22dc882131a6a6f85b63be1e5 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 610477 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1250258625 | Size: 2 Mo

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



RogueKiller V7.4.3 [05/04/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: owner [Admin rights]
Mode: Remove -- Date: 05/04/2012 16:56:45

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 13 ¤¤¤
[BLACKLIST DLL] HKUS\S-1-5-19[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-19_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-20[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-20_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-21-1229272821-823518204-1177238915-1003_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
94.63.147.16 www.google.com
94.63.147.17 www.bing.com


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AACS-00D6B1 +++++
--- User ---
[MBR] f675b690aea3e8a9396c12ac68fa5243
[BSP] b7cb42b22dc882131a6a6f85b63be1e5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 610477 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] edf33485b046a262948988e834209fc8
[BSP] b7cb42b22dc882131a6a6f85b63be1e5 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 610477 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1250258625 | Size: 2 Mo

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
RogueKiller V7.4.3 [05/04/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: owner [Admin rights]
Mode: Remove -- Date: 05/04/2012 16:56:45

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 13 ¤¤¤
[BLACKLIST DLL] HKUS\S-1-5-19[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-19_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-20[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-20_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[BLACKLIST DLL] HKUS\S-1-5-21-1229272821-823518204-1177238915-1003_Classes[...]\Run : Update (rundll32.exe "C:\Documents and Settings\owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware.com\wmgaaaizl.dll",DllRegisterServer) -> DELETED
[HJ] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
94.63.147.16 www.google.com
94.63.147.17 www.bing.com


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AACS-00D6B1 +++++
--- User ---
[MBR] f675b690aea3e8a9396c12ac68fa5243
[BSP] b7cb42b22dc882131a6a6f85b63be1e5 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 610477 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] edf33485b046a262948988e834209fc8
[BSP] b7cb42b22dc882131a6a6f85b63be1e5 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 610477 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1250258625 | Size: 2 Mo

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



There is a Quarantine File and a RK(2).txt (it appears to be the same as the above though)

[jazzdazz]

Tried to upload diskmgmt file - says to big to upload. Should I copy and paste?

[Nedklaw]

Hi.
No you can leave the screenshot now because RogueKiller has confirmed the TDL4/MaxSS Partition Rootkit is on your computer.


You will need a USB drive and another computer which is clean of infection.

Download GETxPUD.exe to the desktop of your clean computer.

• Run GETxPUD.exe.
  
• A new folder will appear on the desktop.
  
• Open the GETxPUD folder and click on the get&burn.bat.
  
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  
• Click on Start and follow the prompts to burn the image to a CD.
  
• Remove the USB & CD and insert it in the sick computer.
  
• Boot the Sick computer with the CD you just burned.
  
• The computer must be set to boot from the CD.
  
• Gently tap F12 and choose to boot from the CD.
  
• Follow the prompts.
  
• A Welcome to xPUD screen will appear.
  
• Press File.
  
• Expand mnt.
  
• sda1,2...usually corresponds to your HDD.
  
• sdb1 is likely your USB.
  
• Click on the folder that represents your USB drive (sdb1).
  
• Press Tool at the top.
  
• Choose Open Terminal.
  
• Type the following and press enter:
  
  

  Quote

  dd if=/dev/sda of=mbr.bin bs=512 count=1
  
  
• Press Enter.
  
• After it has finished a file will be located on your USB drive named mbr.bin.
  
• Remove the USB drive and insert it back in your working computer and navigate to mbr.bin.
  
• Zip the mbr.bin file and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

[jazzdazz]

Ned I did as you said after creating CD on healthy computer. I emailed the file mbr.bin by attaching about one hour ago and thought I'd follow up. I don't see my last reply. Is it possible something went wrong?

[jazzdazz]

I was using neighbor's computer. Didn't want to inconvenience any way again. May be delayed until accessing a healthy computer to resend. Don't know what happened. May I ask why I can't send file from flashdrive on my (infected) computer.

Jazzdazz

[Nedklaw]

Hi.
You have to use the Attach feature below the reply box to attach a file.

• Click Browse and find the mbr.bin file.
  
• Click Attach This File.
  
• Click Add to Post and then reply.

[jazzdazz]

That's exactly what I did. I browsed, located the zip file, and clicked attached (it showed the file in the box). Then I posted.

[jazzdazz]

Hi again,

Can I send from my infected computer, since it's on flash?

[Nedklaw]

Hi.
Can you try attaching it again as I can't see your last reply either.