Win XP computer is messed up bad...

zoiks. #2...

clicked on MBRCheck; Avast popped up and said it might be dangerous, i clicked close, and as soon as i did that, it appears WBRC downloaded. i am looking at another black DOS screen:

command-line:
windows version: blah blah
windows information: blah blah

3 lines of addresses

and at the bottom:

Done!
Press ENTER to exit...

pressing enter now.

ETA: skeert now, so not doing anything till you write back; i thought you said i needed to download these, run them on the PC and then NOT DO ANYTHING but it appears that just clicking on them is making the magic happen.

 

What's WBRC ?

Re opening etc these Apps etc.

Why are you doing that ?

* I said to drag/drop = copy/move ALL 5 Dl'd files from the Ex HD to the PC's desktop, & then NOT run them until i said !

Re - DOS windows opening etc

Yes they do look like that.

* Instead of Left clicking on them to move onto the PC's desktop, Right click on them one at a time & select COPY then Right click & PASTE onto the PC's desktop. Repeat for each of the 5 files.

If Avast pops up ignore any warnings & allow the moves but do NOT run anything.

Do * & post back. & DON'T run anything else yet !

Standing by

 

oh, my oh so very bad. i forgot you said to put it on the desktop.

))-:

 

ok. files moved to folder on desktop...

 

OK let's be CLEAR.

You now have ONLY the following 5 new files in ONE new Folder you created on the PC's desktop.

aswMBR

MBRCheck

TDSS Killer

MBAM & SAS Database Definitions

Yes or no ?

 

yes12345

 

And you are Disconnected from the Internet by Still having removed that cable days ago ?

 

yes

xjljsldfjlsd

 

xjljsldfjlsd = ?

OK we are going to ONLY do ONE thing at a time, so be VERY careful to select the correct file etc etc !

Go ahead & double click aswMBR

Click the [Scan] button to start scan

On completion of the scan click [Save log], save it to your desktop & post it here.

Do NOT click ANY other tab/option etc on aswMBR

 

scan complete; i downloaded it to the Ext HD. do you want me to move it to the Laptop desktop now or wait till we've run all the scans (or whatever we're doing)?

ETA - never mind.

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-27 19:23:21
-----------------------------
19:23:21.343 OS Version: Windows 5.1.2600 Service Pack 3
19:23:21.343 Number of processors: 1 586 0x207
19:23:21.343 ComputerName: NOBLESSE-P5 UserName: kathy
19:23:21.625 Initialize success
19:23:26.062 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
19:23:26.062 Disk 0 Vendor: WDC_WD800BB-60CJA1 17.07W17 Size: 76319MB BusType: 3
19:23:26.062 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800BB-60CJA1______________________17.07W17#4457572d414d4341323136353435_035_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
19:23:26.062 Device \Driver\atapi -> DriverStartIo 87155af1
19:23:28.062 Disk 0 MBR read successfully
19:23:28.062 Disk 0 MBR scan
19:23:28.062 Disk 0 Windows XP default MBR code
19:23:30.062 Disk 0 scanning sectors +156280320
19:23:30.078 Disk 0 scanning C:\WINDOWS\system32\drivers
19:23:36.421 File C:\WINDOWS\system32\drivers\cdrom.sys TDL3 **ROOTKIT**
19:23:36.421 Disk 0 trace - called modules:
19:23:36.437 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x87155ecc]<<
19:23:36.437 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87379ab8]
19:23:36.437 3 CLASSPNP.SYS[f772efd7] -> nt!IofCallDriver -> \Device\00000066[0x873d1f18]
19:23:36.937 5 ACPI.sys[f76a5620] -> nt!IofCallDriver -> [0x87381940]
19:23:36.937 [0x872a99a0] -> IRP_MJ_CREATE -> 0x87155ecc
19:23:36.937 Scan finished successfully
19:24:53.468 Disk 0 MBR has been saved successfully to "F:\2011 may PC scan results\MBR.dat"
19:24:53.468 The log file has been saved successfully to "F:\2011 may PC scan results\aswMBR.txt"

 

Yes move the Log to the Laptop & post it here.

You will move ALL logs that way so i can see them, but just a Reminder, we are ONLY doing one thing at a time, NOT side by side.

So let's try & get the first one done

 

did you see the previous post has the log in it?

 

Please do NOT go ahead & do things without waiting till i say, as that could mess things up, for you, & also makes it harder for me !

As it happens this time you were lucky !

The Log shows you ARE infected still with that Rootkit !

If you closed aswMBR relaunch it & scan again, when it's finished press FIX



If it asks to ReBoot, do so. Either way ReScan & post back with the new Log

 

I exited when i wasn't supposed to. got it. ok. one step at a time, only when you give the command. sorry.

i scanned again but the 'fix' does not light up; only 'fixmbr' is clickable.

 

Close aswMBR for now.

Run MBRCheck & post the Log

 

Avast is suggesting action to take:

"open in sandbox"

other options are:
open normally
cancel opening

i'll open normally...

 

MBRCheck has run (i'm looking at a DOS window).

it says it's done, but i don't know how to copy the log... is there an easy way you can tell me?

 

I thought you agreed to wait for advise before doing Anything ?

open normally is ok, but you did NOT know that before. Don't RISK doing things you're not sure of, PLEASE !

 

MBRCheck Log should be in the Folder you ran it from, or on the PC's desktop.

 

I am trying to expidite things as i so appreciate what you are doing and feel terrible that it is a terrible hour/time for you and am trying to anticipate the answer to move it FWD. I will hence resist such moves and wait... I understand the old adage "haste makes waste". Tell my kids all the time..

I copied/pasted somehow:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000005`020b6c00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
465 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
Press ENTER to exit...

>> I have NOT pressed ENTER, for whatever that's worth at this stage of the game...

In the future, when Avast asks me that question, what shall i answer?

 

Re - Avast. As i said, open normally is ok.

Re - MBRCheck. Press ENTER to exit...

Then,

Run TDSS Killer

It will try to connect out to update, but obviously can't as you've disconnected.

Press Start Scan

After it's finished Press Report & a Log will Open. Copy/Paste that into your next Post

 

TDSS is asking me which objects to scan: services & drivers; boot sectors.

scan both?

 

scan both = YES

 

it has finished scanning but the only options are "cure" and "continue".

it states: malicious objects

rootkit.win32.......

the file is: c:\windows\system32\drivers\cdrom.sys

 

Yes confirmed = Nasty !

Press CURE & If it want's to ReBoot, let it