Rootkit found - but what does it mean?

[xAOx]

Hello all, an alert from avast! popped up says "Rootkid Found" but the file name is pointing to MBR: \\.\PHYSICALDRIVE0\PARTITION3 and the action to take is Delete Now or Ignore. I am fairly certain that on my one harddrive, Partition 3 is where the OS resides. So if I choose to "Delete Now" is that going to harm the MBR and not let me load into Windows? And if I choose to Ignore, is this a real root kit somehow on my PC or a false-alarm?

Any help would be appreciated!

[essexboy]

Hi lets check it out

Download aswMBR.exe ( 4.1mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 



On completion of the scan click save log, save it to your desktop and post in your next reply

[xAOx]

Nothing happens when I double-click the program. Tried in regular and safe mode windows.

[essexboy]

OK lets have a look at your partitions

Do the following:
Start -> Run
type diskmgmt.msc
Click "OK"
 
Disk Management will open.
 
Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.
 
Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

THEN

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs

[xAOx]

Unfortunately, I can neither paste (exceeds 1000 characters) or attach the documents (says its full).
I zipped ad uploaded them here - http://www.sendspace.com/file/pqyjo3

THANK YOU in advance!

[essexboy]

How many partitions are showing in disc management and what are there sizes ?

Download the latest version of TDSSKiller from

here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
   
  
• Click the Start Scan button.
   
  
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
   
  
   
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
[/list]

[xAOx]

Thanks for that program.

Very interesting- so i finally have a name for this rootkit, it is rootkit.boot.sst.b .

[essexboy]

Could you upload the log please as there are probaly some remnants to remove

[xAOx]

I could not attach because of a forum issue so please see the attached tds log here-
http://www.sendspace.com/file/r487u6

thanks!

[essexboy]

How is the computer behaving now ?

[xAOx]

Unfortunately I get endless BSOD in Windows and even Safe Mode. I am considering giving up and formatting - but here's the question - with this being a "bootkit" virus, is it possible that even after a format and Windows reinstall that the virus will appear?

[essexboy]

As it was a mbr malware you will need to reformat the disc to ensure that it has gone

When you get the Blue screen what is the error reported

[xAOx]

The typical blue screen "a problem has been detected..." STOP error is 0x followed by a series of zeros and 7E.
Thank you for your continued assistance...

[essexboy]

Are you able to access the safe mode menu ?

If so select Last Known  Good
Does that get you back ?

Do you have a windows CD as we can then use that next