Rootkit - MBR: \\.\PHYSICALDRIVE0

[Siyanaify]

My Avast! scan logs keep saying I have a rootkit called "MBR:\\.\PHYSICALDRIVE0" which I've tried to send to chest several times to no avail. It doesn't show up on the boot scans and I've had blue screen twice so far; once last night when I first got the rootkit and again today when I turned on my networking. When I managed to get it into safe mode, my laptop restarted itself before I could do anything.

Any help on fixing this will be much appreciated.

[DavidR]

You can check if you have an MBR rootkit using this tool:

Download aswMBR.exe ( 1.8MB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply

[Siyanaify]

I tried running it and I got blue screen. I tried again in safe mode only to get a blue screen again. The error I got was "DRIVER_IRQS_NOT_LESS_OR_EQUAL" What should I do?

[DavidR]

You can try another rootkit tool, but if that can't run either, I don't know if that is down to the existing rootkit blocking security tools.

Second opinion now

Please read carefully and follow these steps. 

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[Siyanaify]

Okay, I scanned it successfully. Here is the log. I removed the unimportant stuff.

Code: [Select]

2011/06/26 18:00:34.0734 1840 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/06/26 18:00:34.0765 1840 ================================================================================
2011/06/26 18:00:34.0765 1840 Scan finished
2011/06/26 18:00:34.0765 1840 ================================================================================
2011/06/26 18:00:34.0781 1152 Detected object count: 1
2011/06/26 18:00:34.0781 1152 Actual detected object count: 1
2011/06/26 18:00:53.0111 1152 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/06/26 18:00:53.0111 1152 \Device\Harddisk0\DR0 - ok
2011/06/26 18:00:53.0111 1152 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/06/26 18:01:03.0797 1844 Deinitialize success


[DavidR]

OK as the log says you will need to reboot to effect the cure. If you haven't done that then do so.

Let us know if avast alerts again after the reboot.

[Siyanaify]

Already done. Thank you so much for all your help.

[DavidR]

No problem, glad I could help.

Welcome to the forums.