Author Topic: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0  (Read 38968 times)

0 Members and 1 Guest are viewing this topic.

Smirza

  • Guest
Hi,

I have a rootkit which avast! wont delete. Its not being detected in boot time scan. Error comes up when i try to delete. I read some other similar posts about this and downloaded combofix but whenever i try to run it the computer shuts down. Need advise on what to do please. The virus is preventing internet explorer from working too.
Thanks

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
« Reply #1 on: March 25, 2011, 11:28:08 AM »
Download and run aswMBR.exe  http://public.avast.com/~gmerek/aswMBR.htm

* Double click the aswMBR.exe to run it
* Click the "Scan" button to start scan
* On completion of the scan click save log, save it to your desktop and post in your next reply

Smirza

  • Guest
Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
« Reply #2 on: March 25, 2011, 11:44:04 AM »
This is what came up. Thanks.



aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-25 11:42:30
-----------------------------
11:42:30.662    OS Version: Windows 6.0.6000
11:42:30.662    Number of processors: 2 586 0xE0C
11:42:30.662    ComputerName: SABRIA-PC  UserName: Sabria
11:42:34.515    Initialize success
11:42:37.073    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
11:42:37.073    Disk 0 Vendor: Hitachi_ SB4O Size: 152627MB BusType: 3
11:42:37.073    Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskHitachi_HTS541616J9SA00_________________SB4OC7KP#4&1e09ccbe&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:42:37.089    Disk 0 MBR read successfully
11:42:37.089    Disk 0 MBR scan
11:42:37.105    Disk 0 TDL4@MBR code has been found
11:42:37.105    Disk 0 MBR hidden
11:42:37.105    Disk 0 MBR [TDL4]  **ROOTKIT**
11:42:37.120    Disk 0 trace - called modules:
11:42:37.120    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86796439]<<
11:42:37.120    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85a26ad8]
11:42:37.136    3 ntkrnlpa.exe[824b07e2] -> nt!IofCallDriver -> [0x84fff6d8]
11:42:37.136    \Driver\iaStor[0x862f1b50] -> IRP_MJ_CREATE -> 0x86796439
11:42:37.151    Scan finished successfully

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
« Reply #3 on: March 25, 2011, 11:47:11 AM »
Quote
11:42:37.105    Disk 0 TDL4@MBR code has been found
11:42:37.105    Disk 0 MBR [TDL4]  **ROOTKIT**
Scan again, when done click "FIX" post new log

Smirza

  • Guest
Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
« Reply #4 on: March 25, 2011, 11:54:01 AM »
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-25 11:52:47
-----------------------------
11:52:47.117    OS Version: Windows 6.0.6000
11:52:47.117    Number of processors: 2 586 0xE0C
11:52:47.117    ComputerName: SABRIA-PC  UserName: Sabria
11:52:48.536    Initialize success
11:52:50.611    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
11:52:50.627    Disk 0 Vendor: Hitachi_ SB4O Size: 152627MB BusType: 3
11:52:50.627    Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskHitachi_HTS541616J9SA00_________________SB4OC7KP#4&1e09ccbe&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:52:50.642    Disk 0 MBR read successfully
11:52:50.642    Disk 0 MBR scan
11:52:50.642    Disk 0 TDL4@MBR code has been found
11:52:50.658    Disk 0 MBR hidden
11:52:50.658    Disk 0 MBR [TDL4]  **ROOTKIT**
11:52:50.674    Disk 0 trace - called modules:
11:52:50.674    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86796439]<<
11:52:50.689    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85a26ad8]
11:52:50.689    3 ntkrnlpa.exe[824b07e2] -> nt!IofCallDriver -> [0x84fff6d8]
11:52:50.705    \Driver\iaStor[0x862f1b50] -> IRP_MJ_CREATE -> 0x86796439
11:52:50.705    Scan finished successfully
11:52:52.780    Disk 0 fixing MBR
11:53:02.810    Disk 0 MBR restored successfully
11:53:02.810    Infection fixed successfully - please reboot ASAP


should i reboot?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
« Reply #5 on: March 25, 2011, 12:10:03 PM »
did you click "FIX MBR" or "FIX" ?

Quote
11:53:02.810    Infection fixed successfully - please reboot ASAP
yes reboot

scan again and post new log
« Last Edit: March 25, 2011, 12:12:49 PM by Pondus »

Smirza

  • Guest
Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
« Reply #6 on: March 25, 2011, 12:14:36 PM »
I clicked on fix. It's rebooting now.

Smirza

  • Guest
Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
« Reply #7 on: March 25, 2011, 12:23:05 PM »
Can only open in safe mode. Windows keeps shutting down. I ran scan, fix isn't a option only fixmbr. Should I click it?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
« Reply #8 on: March 25, 2011, 12:24:50 PM »
no just scan and save log and post it

doktornotor

  • Guest
Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
« Reply #9 on: March 25, 2011, 12:32:27 PM »
While you might not like this answer, I feel it needs to be posted anyway: Infection by rootkit ->  game over. Go and reinstall from scratch.

Help: I Got Hacked. Now What Do I Do?

Quote
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that.

The guys here do a great job when helping with infections, but in case of rookits, this simply is not enough.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
« Reply #10 on: March 25, 2011, 12:35:33 PM »
Quote
but in case of rookits, this simply is not enough.
I am not sure Essexboy agree......
The plan is to end this with an OTS log and have him look at it anyway

Smirza

  • Guest
Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
« Reply #11 on: March 25, 2011, 12:38:38 PM »
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-25 12:20:13
-----------------------------
12:20:13.194    OS Version: Windows 6.0.6000
12:20:13.194    Number of processors: 2 586 0xE0C
12:20:13.194    ComputerName: SABRIA-PC  UserName: Sabria
12:20:14.005    Initialize success
12:20:16.298    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
12:20:16.298    Disk 0 Vendor: Hitachi_ SB4O Size: 152627MB BusType: 3
12:20:16.314    Disk 0 MBR read successfully
12:20:16.329    Disk 0 MBR scan
12:20:16.329    Disk 0 scanning sectors +312578048
12:20:16.361    Disk 0 scanning C:\Windows\system32\drivers
12:20:21.275    Service scanning
12:20:23.537    Disk 0 trace - called modules:
12:20:23.583    ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll iaStor.sys
12:20:23.583    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8598e030]
12:20:23.599    3 ntkrnlpa.exe[824b07e2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84fd5030]
12:20:23.599    Scan finished successfully

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
« Reply #12 on: March 25, 2011, 12:41:11 PM »
well that looks clean


Download malwarebytes and run quick scan

Malwarebytes Anti-Malware 1.50.1 http://filehippo.com/download_malwarebytes_anti_malware/
Always Update so you have latest database before you scan
Click the remove selected button to quarantine anything found

Post the scan log




doktornotor

  • Guest
Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
« Reply #13 on: March 25, 2011, 12:51:54 PM »
MBAM is not particularly good when it comes to rootkits. If anything, I'd suggest Hitman Pro (activate the 30 days trial license if it finds the rootkit). Also, this article covers multiple antirootkit tools: http://www.techrepublic.com/blog/networking/rootkits-is-removing-them-even-possible/736


Anyway, as I already said, I do not believe in disinfecting systems compromised by rootkit.

Smirza

  • Guest
Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
« Reply #14 on: March 25, 2011, 12:55:51 PM »
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6165

Windows 6.0.6000 (Safe Mode)
Internet Explorer 7.0.6000.17037

25/03/2011 12:52:17
mbam-log-2011-03-25 (12-52-04).txt

Scan type: Quick scan
Objects scanned: 153511
Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 65
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{F244A744-534D-4A46-855F-C0C7E9F27DAA} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{030C9927-10FC-4169-97A2-55BECD5D88D8} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.RprtCtrl.1 (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.RprtCtrl (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3E2DFD6A-4E20-4D4C-AA8B-E1F9DBEF3C80} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButton.1 (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButton (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{714E0876-FCEE-49CE-A429-B9AD8AEFCB56} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButtonA.1 (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButtonA (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbInfoBand.1 (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbInfoBand (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{DD15BCC0-5FE9-4690-A957-99FA60ED9D26} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbAx.1 (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbAx (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{B035BA6B-57CD-4F72-B545-65BE465FCAF6} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{D44FD6F0-9746-484E-B5C4-C66688393872} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{0EB3F101-224A-4B2B-9E5B-DF720857529C} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles.1 (Adware.ClickPotato) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\Software\ShoppingReport2 (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ResultBar (Adware.ResultBar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport2 (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low