Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PBR...done [XLDR] !ATA


  • This topic is locked This topic is locked
45 replies to this topic

#1 PressRewind

PressRewind

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:33 AM

Posted 06 July 2012 - 10:48 PM

I have a DELL XPS M140 laptop running Windows XP Professional SP3. I had AVG Free Edition. A while ago AVG said it had a new version out and if I wanted to update I could get the AVG Security 2012 for free for a few days so I thought I would try it. When the trial ran out I thought it would revert back to the free edition but I'm not sure if it did. Yesterday I decided to install Adaware Antivirus Pro. I did a virus scan last night and it found 11 items. I told it to delete them today. Shorty after I did that I started getting strange error messages. The first one stated,"C:WINDOWS\System32\ntvdm.exe Error while setting up the environment for the application. Choose close to terminate the application. I also got a message stating, "System Error. Hard disk failure detected. It's highly recommended to run a complete HDD scan to prevent loss of personal files". I scanned my computer with TDSSKiller and it did not find anything. I noticed that my desktop icons and files started disappearing. I went into my settings and told my computer to show hidden files and everything came back. While I was scanning my system with malware bytes Windows shut down on it's own. When I turned my computer on again it failed to boot Windows. All I see is the lines PBR4...done [XLDR] !ATA. I downloaded AVG Recovery CD and used it to boot from a USB drive. I scanned my computer with the AVG recovery CD but it did not find anything. I'm pretty sure this is cause by a virus but I don't know how to get rid of it since I can't boot Windows. I'm trying to avoid reloading Windows and everything. Let me know if you need any more details. :)

Edited by PressRewind, 06 July 2012 - 10:49 PM.


BC AdBot (Login to Remove)

 


#2 PressRewind

PressRewind
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:33 AM

Posted 09 July 2012 - 06:26 PM

I have been doing some research while waiting for a reply for my request for help. I believe that my computer is infected with the TDL4 virus. I'm pretty sure it has made a partition on my hard drive and infected my master boot record. I do not have a copy of Windows XP Pro since Dell only ships their custom install disks with their computers. I do not have a lot of experience with manipulating partitions or the master boot record but with your help I'm sure we can get rid of this virus.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:33 AM

Posted 09 July 2012 - 11:17 PM

Hello PressRewind, Can we run these now?

If needed you may have to put these on a flash drive or CD.



Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.



Run RKill....


Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.


>>>
Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click on Change Parameters
  • Put a check in the box of Detect TDLFS file system
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.

>>>
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 PressRewind

PressRewind
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:33 AM

Posted 10 July 2012 - 12:24 AM

I attempted several times and I cannot get my computer to boot into safe mode. All I get is
PBR 4...done
[XLDR] !ATA

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:33 AM

Posted 10 July 2012 - 02:18 PM

Will they work in Normal?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 PressRewind

PressRewind
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:33 AM

Posted 10 July 2012 - 02:39 PM

My master boot record is messed up so windows will not boot at all.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:33 AM

Posted 10 July 2012 - 02:47 PM

Ok, I have to ask another to look here..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:33 PM

Posted 10 July 2012 - 03:17 PM

Hello,

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 PressRewind

PressRewind
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:33 AM

Posted 11 July 2012 - 01:00 AM

sdb1,sdb2,sdb3,sdb4 are shown under mount. I was not sure which one was supposed to be my USB so I put the mbr.bin file in each of the folders. When I plug the USB into this computer the file is not there for whatever reason. I did notice that if I boot the sick computer without the USB plugged in I do not see sdb1,sdb2,sdb3,sdb4. My USB has 1G of space and is FAT32. :huh:

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:33 PM

Posted 11 July 2012 - 01:43 AM

Do you see sda1 as well under xPUD?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 PressRewind

PressRewind
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:33 AM

Posted 11 July 2012 - 10:13 AM

I see sda1,sda2,sda3,sda4. They are there even when the usb is not in the computer. I even tried putting a picture on my usb to see if I could see it when I used xPud but could not. It almost seems like it is not showin up under mnt. If I remove the usb xPud recognizes that out has been unplugged.

Edited by PressRewind, 11 July 2012 - 10:19 AM.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:33 PM

Posted 11 July 2012 - 10:24 AM

Which sda<number> is your windows partition (open them and see which one has the Windows folder on them)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 PressRewind

PressRewind
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:33 AM

Posted 11 July 2012 - 10:28 AM

Sda2 and sda1 looks like it has some files that dell put on there. I think it is used for reinstalling windows without the cds.

Edited by PressRewind, 11 July 2012 - 10:30 AM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,931 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:33 PM

Posted 11 July 2012 - 11:01 AM

Could you try it with another usb device?

If that doesn't show up either, look on sda3, which is most likely your windows partition and execute the command from there. MBR.bin should then be created there. Right click it and select Rename. Rename it to mbr.zip

Next click the Tools tab (left panel) and open Firefox. Navigate to this topic and attach mbr.zip.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 PressRewind

PressRewind
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Texas
  • Local time:06:33 AM

Posted 11 July 2012 - 02:56 PM

I tried using a different USB and it worked. I have attached the file you requested.

Attached Files

  • Attached File  mbr.zip   599bytes   5 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users