Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Mebroot Infection???


  • This topic is locked This topic is locked
52 replies to this topic

#1 ldogg1

ldogg1

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 13 April 2010 - 10:42 PM

Hello,

I've recently been disconnected from my ISP due to security issues, and they advised me is was due to a possible infection. I guess the 2 types of files that the ISP detected coming from a pc on my network are the mebroot and torpig.

I don't know much about these 2 file types, other then the fact they are trojans and can be very harmful.

I ran a virus/spyware scan a couple times and cleaned everything, however from what I have read I understand this type of trojan can get into the MBR and can be a pain to get rid of.

I stumbled across the Gmer tool, and ran a scan...

Is this the correct step to take, and should I post the info???

Any help would be greatly appreciated. As I indicated, I have been disconnected several times due to security issues and I'm guessing my scans are not clearing whatever the problem could be.

Thanks!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:10 AM

Posted 13 April 2010 - 10:57 PM

Hello ,post the GMER log.

To check for and confirm the MBR rootkit, use the GMER standalone mbr.exe tool.

Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.


Next:
Please download HAMeb_check.exe and save it to your desktop.
  • Double-click on HAMeb_check.exe to run the utility and it will create a log.
  • Copy and paste the contents of that log in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ldogg1

ldogg1
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 14 April 2010 - 06:56 AM

Thanks for the quick response!

Here are the results of the mbr log;

-----------------------------------------

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x89d525e8
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> 0x89269220
Warning: possible MBR rootkit infection !
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

------------------------------------------

Here are the results of the HAlog;

---------------------------------------

C:\Documents and Settings\X\Desktop\HAMeb_check.exe
14/04/2010 at 7:49:21.73

Account active Yes
Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-1187282231-172899418-1210723608-1005
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D525E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x89d525e8
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> 0x89269220
Warning: possible MBR rootkit infection !
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"2479:TCP"=2479:TCP:*:Enabled:Services
"3246:TCP"=3246:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"6974:TCP"=6974:TCP:*:Enabled:Services
"4428:TCP"=4428:TCP:*:Enabled:Services
"6605:TCP"=6605:TCP:*:Enabled:Services
"3006:TCP"=3006:TCP:*:Enabled:Services
"3723:TCP"=3723:TCP:*:Enabled:Services
"5946:TCP"=5946:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3246:TCP"=3246:TCP:*:Enabled:Services
"2479:TCP"=2479:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"6974:TCP"=6974:TCP:*:Enabled:Services
"4428:TCP"=4428:TCP:*:Enabled:Services
"6605:TCP"=6605:TCP:*:Enabled:Services
"3006:TCP"=3006:TCP:*:Enabled:Services
"3723:TCP"=3723:TCP:*:Enabled:Services
"5946:TCP"=5946:TCP:*:Enabled:Services


~~ EOF ~~

---------------------------------------------------------

#4 ldogg1

ldogg1
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 14 April 2010 - 12:22 PM

Should I run a HijackThis report as well?

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:10 AM

Posted 14 April 2010 - 01:18 PM

Not yet,

Please download HelpAsst_mebroot_fix.exe by noahdfear, save it to your desktop.
  • Close out all other open programs and windows.
  • Double-click on it to run the tool and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, go to > Run..., and in the Open dialog box, type: helpasst -mbrt
    Make sure you leave a space between helpasst -mbrt.
  • Click OK or press Enter.
  • HelpAsst fix will create and open a log when done.
  • Copy and paste the contents of that log into your next reply.
*In the event the tool does not detect an mbr infection and completes, do this:
  • Go to > Run... and in the Open dialog box, type: mbr -f
  • Click OK or press Enter.
  • Now, please do the Start > Run > mbr -f command a second time.
  • Shut down the computer (do not restart, but shut it down). Wait about five minutes, then start it back up.
  • After restart go to > Run... and in the Open dialog box, type: helpasst -mbrt
    Make sure you leave a space between helpasst and -mbrt.
  • Click OK or press Enter.
  • HelpAsst fix will create and open a log when done.
  • Copy and paste the contents of that log into your next reply.
-- Important note to Dell users: Fixing the mbr may prevent access to the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a few known fixes for this, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually. You will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).



Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.45) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 ldogg1

ldogg1
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 14 April 2010 - 06:32 PM

Alright I think I might be in some trouble...

I was working through Step 1, running the HelpAsst_mebroot_fix.exe file and letting it run through it's course. The program did detection an infection, and I pushed yes to let it run mbr -f and then the computer shut down... As you indicated.

I waited 5 mins as per the directions, and now I cannot boot the computer.

When I try to turn it back on, it can't run through the boot sequence and I get this error message;

For Realtek RTL8139(X)/8130/810X PCI Fast Ethernet Controller v2.13 (020326)
PXE-E61: Media test failure, check cable
PXE-M0F: Exiting PXE ROM.


It loops into trying to boot this device, and does not get any further just repeats trying to boot and this message occurs over and over. Finally I had to do a hard shut down.

I am able to get into the BIOS by pressing F2, but when I try to boot it will not work.

Any ideas???

Thanks




#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:10 AM

Posted 14 April 2010 - 07:56 PM

Ok, I will bring some assistants.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:10 PM

Posted 15 April 2010 - 02:12 AM

Hello there,

First of all a question: do you know if any drive encryption software is used or do you have a Dell computer?

I am moving this thread to the Malware Removal forum.

Please download ARCDC from Artellos.com.
  • Double click ARCDC.exe
  • Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
  • You will be prompted with a Terms of Use by Microsoft, please accept.
  • You will see a few dos screens flash by, this is normal.
  • Next you will be able to choose to add extra files. Select the Default Files.
  • The last window will allow you to burn the disk using BurnCDCC
Your ISO is located on your desktop.
  • Insert the CD we created into the CD-ROM drive, and then restart the computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your XP-CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
Type fixmbr and press enter. Confirm if asked.

Now type exit and press enter to restart your computer. Let me know if it boots now.

Edited by elise025, 15 April 2010 - 05:39 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 ldogg1

ldogg1
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 15 April 2010 - 06:54 AM

Hello,

Thanks for the quick reply.

In answer to your questions...

1. No, I don't believe I have any drive encryption software
2. No, I have a Toshiba laptop

For the process of running the ARCDC utility, am I supposed to run this on the laptop with problems? I cannot even get to Windows because of this loop issue with one of the drivers with the error message;

For Realtek RTL8139(X)/8130/810X PCI Fast Ethernet Controller v2.13 (020326)
PXE-E61: Media test failure, check cable
PXE-M0F: Exiting PXE ROM.


I'm not sure if you meant to run the ARCDC utility on another pc, THEN boot it on the problematic laptop. But I will not even be able to download/save/run this utility on the problematic laptop.

Unless there is a way to get into Windows so I can download this utilility, I'm a little confused...

Thanks again.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:10 PM

Posted 15 April 2010 - 06:56 AM

QUOTE
I'm not sure if you meant to run the ARCDC utility on another pc, THEN boot it on the problematic laptop
Exactly, on a clean computer you create the CD, then you boot from it on the problem PC.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 ldogg1

ldogg1
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 15 April 2010 - 08:27 AM

Ok great!

I will give that a try.

One other thing, does the CD have to be created on a PC with Windows XP, or can I create it from a computer with Windows Vista?

Thanks

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:10 PM

Posted 15 April 2010 - 08:34 AM

Doesn't matter on what OS you create it smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 ldogg1

ldogg1
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 15 April 2010 - 04:38 PM

Ok... I walked through all of the instructions as indicated, and when I restart the computer I get the following error message;

Invalid partition table

I cannot proceed any further.

Any other ideas?

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:10 PM

Posted 16 April 2010 - 02:28 AM

Hello again,

With a bit of luck we should be able to recreate the partition table.

You're going to need a program called TestDisk. It's a free and open source disk recovery program.

Since you can't boot, we are going to need to create a bootable CD first.

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.


On a working computer
Step 1: Download the TestDisk executable for Windows here: Download
Step 2: Extract the downloaded zip file (right click on the file > extract files) and save it to a flash drive.

On the Reatogo-X-PE desktop
Step 3: Use My Computer to navigate to your flashdrive and double-click on the testdisk_win.exe file (found in the win folder of the extracted archive)
Step 4: You will now be at a scary looking text-based command window:

Press Enter here to create a new log file.

Step 5: TestDisk will now detect all local hard drives, and present them in a list like this:

You have indicated that there is only one hard drive attached to your computer, with two partitions. So, use the arrow (up and down) keys to highlight the disk called /dev/sda.

Note: If /dev/sda isn't listed or you have more than one hard drive, STOP and post back here.

With /dev/sda selected, press Enter

Step 6: Now we need to specify the type of partitions that are on your disk. Select Intel (even if you have an AMD processor).

Press Enter.

Step 7: Select Analyse and press Enter.


Step 8: The next screen will list all found partitions. Press Enter to run a Quick Search.


When asked, say No to this screen:


Step 9: If your missing partition is found, it should show up in the list:

For now, press Q to quit and post me the testdisk log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 ldogg1

ldogg1
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:05:10 AM

Posted 23 April 2010 - 10:54 PM

Hello,

Sorry I haven't had a chance to take a crack at your latest solution, however I finally got to it tonight.

I ran through all of your instructions as indicated in the last post, and I believe the last part was to post you the log file results. Below is a c/p from the log file I ran as per your direction;

---------------------------------------

Sat Apr 24 00:08:36 2010
Command line: TestDisk

TestDisk 6.11.3, Data Recovery Utility, May 2009
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Windows XP
Compiler: GCC 4.3, Cygwin 1005.25 - May 6 2009 20:35:43
ext2fs lib: 1.41.4, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20080501
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sda)=80026361856
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(/dev/sdb)=256900608
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive0)=80026361856
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\PhysicalDrive1)=256900608
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\C:)=80026361856
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\D:)=256588288
disk_get_size_win32 IOCTL_DISK_GET_LENGTH_INFO(\\.\X:)=290246656
file_pread(4,1,buffer,156312449(9729/254/63)) lseek err Invalid argument
file_pread(5,1,buffer,514079(31/254/63)) lseek err Invalid argument
Hard disk list
Disk /dev/sda - 80 GB / 74 GiB - CHS 9729 255 63, sector size=512 - TOSHIBA MK8032GSX
Disk /dev/sdb - 256 MB / 244 MiB - CHS 31 255 63, sector size=512 - SanDisk Cruzer Micro
Drive X: - 290 MB / 276 MiB - CHS 69 64 32, sector size=2048 - MATbleepA DVD-RAM UJ-841S

Partition table type (auto): Intel
Disk /dev/sda - 80 GB / 74 GiB - TOSHIBA MK8032GSX
Partition table type: Intel

Analyse Disk /dev/sda - 80 GB / 74 GiB - CHS 9729 255 63
Geometry from i386 MBR: head=66 sector=32
BAD_RS LBA=670200545 13452528
check_part_i386 1 type D3: no test
BAD_RS LBA=670200545 13452528
check_part_i386 2 type D3: no test
BAD_RS LBA=670200545 13452528
check_part_i386 3 type D3: no test
BAD_RS LBA=670200545 13452528
check_part_i386 4 type D3: no test
Current partition structure:
1 * Sys=D3 41718 13 57 147102 108 34 1692999923

Bad relative sector.
2 * Sys=D3 41718 13 57 147102 108 34 1692999923

Bad relative sector.
3 * Sys=D3 41718 13 57 147102 108 34 1692999923

Bad relative sector.
4 * Sys=D3 41718 13 57 147102 108 34 1692999923

Bad relative sector.
Ask the user for vista mode
Allow partial last cylinder : No
search_vista_part: 0

search_part()
Disk /dev/sda - 80 GB / 74 GiB - CHS 9729 255 63
NTFS at 0/1/1
filesystem size 155878632
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 657959
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 0 1 1 9702 254 63 155878632 [S3A3305D001]
NTFS, 79 GB / 74 GiB
get_geometry_from_list_part_aux head=255 nbr=2
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=2

Results
* HPFS - NTFS 0 1 1 9702 254 63 155878632 [S3A3305D001]
NTFS, 79 GB / 74 GiB

interface_write()
1 * HPFS - NTFS 0 1 1 9702 254 63 155878632 [S3A3305D001]
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition

TestDisk exited normally.

--------------------------------------------------


Any ideas as to the next steps???

Thanks again for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users