Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Pony_Girl on February 01, 2011, 02:42:15 AM
-
Hello, newbie here. =)
I appear to be having the same problem as described in this thread:
http://forum.avast.com/index.php?topic=36318.0
Here is a screen shot of the Avast! alert:
(http://img822.imageshack.us/img822/2516/18068621.png) (http://img822.imageshack.us/i/18068621.png/)
After displaying this alert, Avast! then instructs me to delete the file, so of course I click "OK" to let Avast! do what it's told me to do, Avast! then instructs me to run a computer scan, of course I do this - the computer scan says zero infected files, Avast! keeps flagging up this possible rootkit thing and repeats it's instructions to delete then run a scan.
If it helps, the antivirus I'm currently using is the downloaded Avast! Free Antivirus.
I am at a complete loss as to what to do as I don't know much about this stuff.
Thank-you all who read this for your time and interest, it's greatly appreciated. Best wishes and kind regards.
Any help and advice would be greatly appreciated, just please bear in mind I'm not all that familiar with technical terms and this area of computing in general.
-
If avast! can not get rid of the rootkit, try Dr. Web Cureit. Do the express scan. It is very good at cleaning mbr rootkits.
http://www.freedrweb.com/cureit/?lng=en
Another that will cure an mbr rootkit would be Prevx.
http://info.prevx.com/downloadcsi.asp
-
You could also try F-Secure black light.It's easy to use, small.and does the job
-
you probably have TDL4 rootkit, try running a scan with TDSS Killer:http://support.kaspersky.com/viruses/solutions?qid=208280684
-
Hello Pony_Girl,
I will notify essexboy (http://forum.avast.com/index.php?action=profile;u=11091), the malware expert. He will be here by 08:00pm - 11:59pm UK time
-
@Pony_Girl
Please take a look at the file:
C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\log\aswAr.log
In case of TDL infection you should see :
avast! Antirootkit, version 1.0
Scan started: Tuesday, February 01, 2011 10:03:42 AM
Process [4]
...
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6Y120P0__________________________YAR41BW0#335930334d57455920#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
Device \Driver\atapi -> DriverStartIo 816b7abf
Disk 0 MBR [TDL4] **ROOTKIT**
Thanks
-
@ All who've kindly taken the time to read and respond to my thread: Thank-you. =)
It's annoying knowing this problem probably is what I think it is, but at least now I know what it could be I can get round to getting it sorted and find something suitable to protect the computer from it in the future. =)
@ gmr:
On your latest post in this thread... Would I be wrong in assuming that what you're instructing me to do is in order to determine wether or not this is a TDL infection? Just curious.
-
Please send your aswAr.log file to: gmerek(at)avast.com
-
Hi GMER does this also detect whistler ?
-
Hi essexboy,
Yes, AVAST can detect most of MBR rootkits.
Alureon@mbr
Sinowal@mbr
Whistler@mbr
-
Ta ;D
Any progress on the cleaning front ? Although even TDSSKiller and Combofix are finding it hard to clear the latest variant
-
@essexboy
here is something you might like to check out
http://public.avast.com/~gmerek/aswMBR.htm
any feedback or comments are welcome
-
Guess what - I will use this tool at the next available opportunity. ;D Is this for general release or currently under test ?
EDIT: Win7 64bit run as admin
aswMBR version 0.9 Copyright(c) 2010 avast! Software
Run date: 2011-02-01 21:15:26
-----------------------------
21:15:26.894 OS Version: Windows x64 6.1.7600
21:15:26.894 Number of processors: 2 586 0x4B02
21:15:26.894 ComputerName: MARTIN-PC UserName: Martin
21:15:27.752 Initialze error - driver not loaded
I will try on my winxp vm next
-
Works on 32 bit systems ;D
-
@essexboy, this tool is avalible for avast! community :)
it works on x64 however its driver is not signed yet
to run it on x64 you must "Disable Driver Signature Enforcement" (press F10 before the OS starts)
-
I have two disks, but aswMBR shows the same size for both HDDs:
14:49:56.660 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-6
14:49:56.660 Disk 0 Vendor: INTEL_SSDSA2M160G2GC 2CV102HD Size: 152627MB BusType: 11
14:49:56.663 Disk 1 \Device\Harddisk1\DR2 -> \Device\000000c9
14:49:56.666 Disk 1 Vendor: WD______ 1.75 Size: 152627MB BusType: 7
-
Thanks Petr, it indeed for all disks shows boot disk size.
Fixed, new version uploaded.
-
Ok and thanks - trying it now on one here that MBRCheck has failed on
-
Should it scan MBR on all available HDDs? It seems, it scans only Disk 0.
Timestamp is not local, but in GMT.
-
It scans boot disk (in most cases its number is 0)
-
It scans boot disk (in most cases its number is 0)
So is this log ok? What about Disk 1?
aswMBR version 0.9 Copyright(c) 2010 avast! Software
Run date: 2011-02-02 14:49:54
-----------------------------
14:49:54.256 OS Version: Windows 6.1.7600
14:49:54.256 Number of processors: 2 586 0x1706
14:49:54.258 ComputerName: PK-PC UserName:
14:49:54.783 Initialize success
14:49:56.660 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-6
14:49:56.660 Disk 0 Vendor: INTEL_SSDSA2M160G2GC 2CV102HD Size: 152627MB BusType: 11
14:49:56.663 Disk 1 \Device\Harddisk1\DR2 -> \Device\000000c9
14:49:56.666 Disk 1 Vendor: WD______ 1.75 Size: 152627MB BusType: 7
14:49:56.671 Disk 0 MBR read successfully
14:49:56.672 Disk 0 scanning MBR
14:49:56.679 Disk 0 scanning sectors +312578048
14:49:56.682 Disk 0 scanning C:\Windows\system32\drivers
14:49:57.687 Scan finished successfully
-
Deleting that file (it looks like it's the MBR) might harm your system.
Try Dr.Web CureIt, and see if that detects it and fixes it (It probably won't delete the MBR completely)
-
Please send your aswAr.log file to: gmerek(at)avast.com
Done as requested. =)
-
Oh for f**ksake... I have had it up to here with my 18 y/o younger brother... gmer, I got your e-mail, tried to download the file to my desktop as instructed to do so, but I couldn't do that without some password...
Wanna know why? Because my bro' kept downloading dodgy crap and getting viruses, so my mum made it so everybody has to use a password (that only she knows) in order to download anything, except that was a pretty pointless idea as she let my bro' know the password anyway (because it's easier for her just to let him do whatever the f**k he likes instead of telling him "No!") *facepalm X100*, it would be absolutely pointless me trying to explain that I need it to get rid of this bloody rootkit as she's pretty much computer illiterate *faceplams again, thinking about tearing hair out* and it'd all go over her head... As soon as I've saved enough, I'm getting my own computer, if my bro' gets within a meter of it I'll chase him with a stick to keep him away so he can't break it, because I don't have money to keep buying new computers and doubtless I'd have to if he got anywhere near it. Had it up to here with fools who think they know everything (bro'), clueless people (mum) and sharing a damned comuter. Rant over, for real, no more ranting, just felt like ranting... *Weary sigh...*
Back to topic: Forgot to mention this - got a re-direct virus, from what I've garnered it's probably something to do with the rootkit (actually, this apparent "re-direct" virus thing doesn't seem to do much, and when it does it just takes me off to some apparently harmless but extremely dull sites about car insurance and dieting, if it does try to take me to an apparently "Harmful" site, it just gets blocked before it can load resulting in FAIL *shrug*. Still want rid of it though, don't want it possibly doing other things).
-
The password is for browsers only, or the whole system? For instance, i was thinking maybe you and GMER could transfer the file via ICQ or some messenger; even email (the file is tiny). Just a thought, i'd like to see you toast this little nasty. ;)
-
@ ArtemisF0wl: I have no idea what the password covers, aside from that it's needed to download ANYTHING at all. But never mind that, I've aquired the useless stupid f**king password.
@ gmer: Followed your instructions exactly. Except, when I went to click "Save" I noticed it had a "Fix" button too, I didn't touch that though because I thought it best to just do as I was told. Should I have clicked "Fix"? By the way, not sent the files yet as despite the amount of searching I've done (this is something I'm pretty familiar with) I just can't find the f**ker ANYWHERE (there are also folders/files that for some reason I DON'T have access too/permision to open/look at, how helpful is that (sarcasm)... *growls*)...
By the end of February I may actually have torn my hair out in frustration and smashed the computer to pieces in a fit of rage. I hate technology when it doesn't work/do what it's meant to do (and my irresponsible thinks he knows everything but actually knows f**k all brother), I'd rather go back to living under a rock, I was quite happy there before. End of 2009 up until today has just been horendous and extremely irritating in all aspects, so if one more thing goes wrong I may actually go insane. Rant over.
-
At this rate I may just haul the damned computer to a person who is qualified to fix it and paid to do so, and offer a large sum of cash in hand to take the back seat and say "Here's the cash, YOU deal with it!"... *Weary sigh*.
-
Actually, just a thought - but is it at all possible to just remove and replace some sort of part of the computer to get rid of the nasty rootkit thing? Because if it is I'll fork out whatever price is asked to replace it. Thanks for your time.
-
*Shameless bump*
@ gmer: Followed your instructions to a T, however was unable to send the requested files (aswMBR.log and MBR.dat) as despite the amount of searching I've done I just can't find where they're located.
So, anybody know where the files/folders aswMBR.log and MBR.dat are located/where I should look?
-
click "start" and type in the search box aswMBR.txt, and do the same for the other file. hope this helps
-
@ ArtemisF0wl: Thank-you :)! Put me in a much better mood, not feeling so hopeless about this now :) .
I am familiar with searching and fairly computer literate (ie. I can usually figure out basic things and happily use the computer un-assisted, I've worked in administration before), but I'm a bit 'rusty' and it's something I've not had to do for a long time. Planning to do a course or 2 in the near future to refresh my memory
[EDIT] ArtemisF0wl: Just read your PM (replying here as new members of this forum don't seem to have PM option right away), thank-you again :) . That is something I shall definately look into :) .
@ gmer: Will send the requested files as soon as I am able to get to my computer later today ASAP if you still need me to send them to you.
-
@ gmer and anybody else willing to read this thread and try to help:
gmer, I honestly cannot find the files you requested I send to you (aswMBR.log and MBR.dat), I have no idea whybut they just don't appear to exist... Yes, basic searches and all that is something I'm pretty much familiar with, it's basic stuff, still can't just find those damned files. Yes I also followed your instructions to a T, did everything you said to do.
Anybody know any reason as to why I can't seem to find the files that supposedly should be there? Anybody got any other suggestions or solutions to this problem?
ANY help and advice would be greatly appreciated.
If anybody who's willing to help needs to communicate with me in order to do so - I'm from the UK, I'm available pretty much 24/7 except Monday's until 6pm due to college, I have both AIM and MSN, I have no problem what so ever with remote assistance being used if need be (not hiding anything, nothing particularly important to me/private on this computer except family photographs and I generally don't mind which of my files get seen by anybody).
-
Problem resolved. :)
Big thank-you to gmer and ArtemisF0wl. :D