Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0

[Smirza]

Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ResultBar (Adware.ResultBar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShoppingReport2 (Adware.Hotbar) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Value: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Value: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qnexayoqane (Trojan.Agent.U) -> Value: Qnexayoqane -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\programdata\resultbar (Adware.ResultBar) -> No action taken.
c:\program files\funwebproducts (Adware.MyWebSearch) -> No action taken.
c:\program files\funwebproducts\screensaver (Adware.MyWebSearch) -> No action taken.
c:\program files\funwebproducts\screensaver\Images (Adware.MyWebSearch) -> No action taken.
c:\program files\mywebsearch (Adware.MyWebSearch) -> No action taken.
c:\program files\mywebsearch\bar (Adware.MyWebSearch) -> No action taken.
c:\program files\mywebsearch\bar\History (Adware.MyWebSearch) -> No action taken.
c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) -> No action taken.
c:\program files\resultbar (Adware.ResultBar) -> No action taken.
c:\program files\shoppingreport2 (Adware.ShoppingReport2) -> No action taken.
c:\program files\shoppingreport2\Bin (Adware.ShoppingReport2) -> No action taken.
c:\program files\shoppingreport2\Bin\2.7.21 (Adware.ShoppingReport2) -> No action taken.

Files Infected:
c:\Users\Sabria\AppData\Local\Temp\srweanxmoc.exe (Adware.Agent) -> No action taken.
c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> No action taken.

[Smirza]

i have quarantined all the selected files and rebooted, but i still can only open in safe mode as windows keeps shutting down when opened normally. I get some blue screen with something written and then it shuts down... its too quick for me to read.

[Pondus]

OK... i am not sure if you can do this in safe mode, but you may try running OTS and posting the log


Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log )


i will notifie Essexboy now so he will look at this when he arrives her in....7-8 hours
may take longer if there is cricket on tv   

[Smirza]

Hi,

i have scanned OTS and attached. When will i be able to use computer normally?

thanks

[Pondus]

you have to wait for essexboy`s advice 

[Smirza]

Ok thanks for helping anyway.

[essexboy]

Hi this fix may take 10 - 15 minutes as there are a multitude of temporary files, so be patient

When done try to restart - if it blue screens capture as much as you can from the screen

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {258C9770-1713-4021-8D7E-1F184A2BD754} [HKLM] -> [ShoppingReport2]
YN -> {DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> [Java(tm) Plug-In 2 SSV Helper]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2436393040-1978007685-914896767-1000\] > -> HKEY_USERS\S-1-5-21-2436393040-1978007685-914896767-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{A057A204-BACC-4D26-C39E-35F1D2A32EC8}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "MDM" -> ["C:\Program Files\M-Budget\M-Budget Data Manager\LscaGui.exe"]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {DB38E21A-0133-419d-92AD-ECDFD5244D6D}:{3E2DFD6A-4E20-4d4c-AA8B-E1F9DBEF3C80} [HKLM] -> [Button: ShopperReports - Compare product prices]
YN -> {EB620C54-E229-4942-87CE-E717109FC8C6}:{714E0876-FCEE-49ce-A429-B9AD8AEFCB56} [HKLM] -> [Button: ShopperReports - Compare travel rates]
[Files - No Company Name]
NY ->  pkgeuyo.sys -> C:\Windows\System32\drivers\pkgeuyo.sys
NY ->  temppf.sys -> C:\Windows\System32\temppf.sys
[Empty Temp Folders]
[EmptyFlash]

 
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

[Smirza]

Hi,

So i did as you said and ran the run fix but after i did that i got a message saying that i must reboot to have the files removed. So i rebooted, no notepad came up, so not sure how to get the log. Also the blue screen still comes up when i try to open windows normally. The blue screen comes up for a split second. the most i can get from it is it says ' a problem has been detected windows is shutting down to avoid delays' its something along those lines. As i said it goes very quickly that im unable to get much for from it. Please let me know what i should do next.

Thank you.

[doktornotor]

The time spent trying to fix the unfixable would have better been used to reinstall your system. You would be done now and would have a system that you can trust.

http://forum.avast.com/index.php?topic=74627.msg618213#msg618213

[Smirza]

Is that easier? What does it require?

[znop]

I also contracted the "MBR:\\.\PHYSICALDRIVE0"...  I simply downloaded and ran TdssKiller.  that seem to work.  I haven't heard back from my friend about any further problems 

[zeeshanaskari]

aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-17 11:32:41
-----------------------------
11:32:41.468    OS Version: Windows 5.1.2600 Service Pack 3
11:32:41.468    Number of processors: 2 586 0x1706
11:32:41.468    ComputerName: ZEESHAN  UserName:
11:32:41.937    AVAST engine 6.0.1125 defs: 11061601
11:32:41.937    Initialize success
11:32:44.109    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
11:32:44.109    Disk 0 Vendor: Intel___ 1.0. Size: 476937MB BusType: 8
11:32:44.109    Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskZeeshan1.0.00__#4&765a36c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:32:44.109    Disk 0 MBR read successfully
11:32:44.109    Disk 0 MBR scan
11:32:44.109    Disk 0 Alureon-C@mbr [Rtk]
11:32:44.109    Disk 0 TDL4@MBR code has been found
11:32:44.109    Disk 0 Windows XP default MBR code found via API
11:32:44.109    Disk 0 MBR hidden
11:32:44.109    Disk 0 MBR [TDL4]  **ROOTKIT**
11:32:44.109    Disk 0 trace - called modules:
11:32:44.125    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8abe8555]<<
11:32:44.125    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ab07ab8]
11:32:44.125    3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> [0x8913f688]
11:32:44.125    \Driver\iaStor[0x8abe5030] -> IRP_MJ_CREATE -> 0x8abe8555
11:32:44.125    AVAST engine scan C:\WINDOWS\system32
11:34:01.406    Scan finished successfully
11:35:00.843    Disk 0 MBR has been saved successfully to "C:\MBR.dat"
11:35:00.843    The log file has been saved successfully to "C:\aswMBR17JunXI-1.txt"

[Pondus]

@zeeshanaskari

11:32:44.109    Disk 0 Alureon-C@mbr [Rtk]
11:32:44.109    Disk 0 TDL4@MBR code has been found
11:32:44.109    Disk 0 MBR [TDL4]  **ROOTKIT**

*run a new scan and click "fix" then reboot
*after reboot, scan again and click "save log" and post in your next reply

[tilakv]

Hi
I have the same issue as the OP. Please help.
Rootkit virus. Bootime scan finds it, fixes it and when I log into the machine, its back again. Can someone help?

[DavidR]

Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and start your own new topic here http://forum.avast.com/index.php?board=4.0 and attach the logs there, not in the LOGS topic.