[SOLVED] re-install windows 7 ?

[one_unique_guy]

Hi, one_unique_guy.

What makes you think your computer is infected? If you'd like, you can run the tool as instructed below which will back up and scan the MBR.

Please download aswMBR and save it to your Desktop.

• Right click aswMBR.exe & choose "Run as Administrator" to run it.
• Click Yes to the prompt to download Avast! virus definitions.
  (Please be patient whilst the virus definitions download)
• With the AVscan set to Quick Scan, click the Scan button.
  (Please be patient whilst your computer is scanned.)
• After a while when the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
• Click OK > Exit.
• Note: Do not attempt to fix anything at this stage!
• Two files will be created, aswMBR.txt & a file named MBR.dat.
• MBR.dat is a backup of the MBR (master boot record), do not delete it..
• I strongly suggest you keep a copy of this backup stored on an external device.
• Copy & Paste the contents of aswMBR.txt into your next reply.

Here is the text information
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software

Run date: 2012-05-31 15:02:44

-----------------------------

15:02:44.888 OS Version: Windows x64 6.1.7601 Service Pack 1

15:02:44.888 Number of processors: 4 586 0x2A07

15:02:44.888 ComputerName: MAIN UserName: Paul

15:02:48.148 Initialize success

15:06:02.912 AVAST engine defs: 12053100

15:06:33.363 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

15:06:33.363 Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 3

15:06:33.363 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1

15:06:33.363 Disk 1 Vendor: SAMSUNG_ 1AA0 Size: 953868MB BusType: 3

15:06:33.363 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IAAStorageDevice-2

15:06:33.363 Disk 2 Vendor: Hitachi_ JKAO Size: 1907728MB BusType: 3

15:06:33.378 Disk 0 MBR read successfully

15:06:33.378 Disk 0 MBR scan

15:06:33.378 Disk 0 Windows 7 default MBR code

15:06:33.378 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048 what is this for, and what is the offset for / mean?

15:06:33.410 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848 why is there an offset?

15:06:33.441 Disk 0 scanning C:\Windows\system32\drivers

15:06:41.568 Service scanning

15:07:00.507 Modules scanning

15:07:00.507 Disk 0 trace - called modules:

15:07:00.522 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll

15:07:00.538 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009a88060]

15:07:00.538 3 CLASSPNP.SYS[fffff88001f8e43f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0xfffffa80087cb050]

15:07:03.471 AVAST engine scan C:\Windows

15:07:07.308 AVAST engine scan C:\Windows\system32

15:09:43.683 AVAST engine scan C:\Windows\system32\drivers

15:09:58.644 AVAST engine scan C:\Users\Paul

15:20:56.252 AVAST engine scan C:\ProgramData

15:30:03.405 Scan finished successfully

15:32:41.593 Disk 0 MBR has been saved successfully to "C:\Users\Paul\Desktop\MBR.dat"

15:32:41.624 The log file has been saved successfully to "C:\Users\Paul\Desktop\aswMBR.txt"

 

[Corrine]

15:06:33.378 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048 what is this for, and what is the offset for / mean?
15:06:33.410 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848 why is there an offset?

That I can't tell you, other than it is common to see in logs. What I was looking to confirm is that there was no entry like "**INFECTED** MBR:Alureon-K [Rtk]". Fortunately there is no indication that the MBR is infected.

However, seeing "246 Windows Updates failures since January" and the MSE indication of suspicious behavior by C:\Users\Paul\AppData\Local\Temp\un984.exe implies that there is more going on than the inability to record a blank CD. There are no results for un984.exe, however, 984.exe is described as "cloaked malware".

Have you run Malwarebytes, as suggested by jcgriff2? If so, please post the log here, so as not to confuse the other thread.

 

[usasma]

The 100 mB partition has some boot stuff that Windows puts in there. I haven't had any time to research that portion of setup, so I can't explain it exactly - but it is legitimate and is on many, many Win7 systems.

Now to show my ignorance about things related to malware:
What about the ZeroAccess rootkit. I had my first exposure to it today (a STOP 0xc0000135 error missing %hs)
No mention of it in the MBR - but it sure hosed the ability of this system to boot into Windows!

 

[Corrine]

ZeroAccess hasn't been picked up by MSE and it is in detection as Win64/Sirefef. The variant added today. From http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win64/Sirefef.Y:

Trojan:Win64/Sirefef.Y is a component of Win64/Sirefef - a multi-component family of malware that moderates your Internet experience by modifying search results, and generates pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing the main payload.

It provides selected function calls for Win64/Sirefef to establish network connections.

McAfee has an extensive writeup at ZeroAccess.a - Malware - McAfee Labs Threat Center.

 

[Vir Gnarus]

I had to deal with ZeroAccess in the past and manually removed it. Was a bugger.

Anyways, I believe the "offset" means the starting position of the partition in relation to the drive. So offset 2048 means 2048 sectors(?) from the beginning of the drive.

 

[TheCyberMan]

Was the operating system and C drive in use in another pc with a different motherboard to the one you are using now in the new system?

 

[one_unique_guy]

Yes the drive was used in old system, however I am no longer sure if it was the boot drive.
No the OS not on any other system, was new hardware and old drives.
I bought the win 7 and MB at the same time.

Was the operating system and C drive in use in another pc with a different motherboard to the one you are using now in the new system?

 

[one_unique_guy]

I apologize to all who have tried to help, I have been away from computer for a long time. I just got back to it. I believe the issue to be solved.
Thank you to all who have helped!