Avast WEBforum
Other => Viruses and worms => Topic started by: pamzila on February 27, 2011, 12:49:37 PM
-
Hello I'm new to the forums and I'm hopping that someone can help me with this problem I'm having.
I recently borrowed my boyfriends laptop when I noticed that it was behaving strange so I ran a system scan which revealed a virus (or rootkit) called MBR:\\PHYSICALDRIVE0 and then prompted me to delete now and run a boot scan. Avast now continually prompts me to delete the 'rootkit' and run a boot scan every time the laptop is switched on.
Avast also detected svchost.exe as a threat a number of times whilst I was using it and the internet browser redirects Google searches constantly. Recently downloaded OTL.exe from http://forum.avast.com/index.php?topic=66698.0 (http://forum.avast.com/index.php?topic=66698.0) but windows is not allowing me to open the program on the laptop even in safe mode. The Error message for that reads;
"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item".
Now that laptop is being sluggish to load up, not loading the taskbar, desktop image or desktop shortcuts (but I can still access files by running them from Task Manager.
I have been trying to repair the problem myself but there appears to be more than one thing going.
Somebody please help!
Thank you forum!
-
Hi there let me see what you have
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture.jpg)
Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2.png)
Click the "Fix" in case of infection
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR3.png)
Save the aswMBR.log to the desktop. Then post the log in your next reply
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR4.png)
THEN
Then try this, if it fails go to Plan B
Note: If using Firefox right-click on any download links and choose Save As
Please download OTH (http://oldtimer.geekstogo.com/OTH.scr) to your desktop
Please download OTL (http://oldtimer.geekstogo.com/OTL.scr) to your desktop
Please download the attached file Scan.txt to your desktop
Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.
(http://oldtimer.geekstogo.com/OTH/OTH_Main.gif)
Then select Start OTL. OTL will now run
- Double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
Select Scan.txt that you downloaded
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Click the Internet Explorer button, post these logs in your Virus Removal topic.
Plan B
Download Rkill from here : there are several flavours to choose from, if one does not work then try the next
* rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
* rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
* rkill.pif (http://"http://download.bleepingcomputer.com/grinler/rkill.pif")
Once it is downloaded, double-click on rkill in order to automatically attempt to stop any processes associated with Security Central and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Central when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Central . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of my instructions.
Do not reboot your computer after running rkill as the malware programs will start again.
Then run OTL as above
-
I had to unblock the executable to get it going
Here's what aswMBR.exe found
aswMBR version 0.9.2 Copyright(c) 2011 avast! Software
Run date: 2011-02-27 12:22:24
-----------------------------
12:22:24.957 OS Version: Windows 6.0.6000
12:22:24.957 Number of processors: 2 586 0xE0C
12:22:24.960 ComputerName: BAZZATRON-PC UserName: Bazza
12:22:26.192 Initialize success
12:22:43.754 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
12:22:43.754 Disk 0 Vendor: FUJITSU_MHY2200BH 0000000B Size: 190782MB BusType: 3
12:22:43.769 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000065
12:22:43.770 Disk 1 Vendor: Generic- 1.00 Size: 190782MB BusType: 7
12:22:43.775 Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskFUJITSU_MHY2200BH_______________________0000000B#5&f975f34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
12:22:45.784 Disk 0 MBR read successfully
12:22:45.785 Disk 0 MBR scan
12:22:45.792 Disk 0 TDL4@MBR code has been found
12:22:45.800 Disk 0 MBR hidden
12:22:45.807 Disk 0 MBR [TDL4] **ROOTKIT**
12:22:45.824 Disk 0 trace - called modules:
12:22:45.826 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85829439]<<
12:22:45.842 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85291ad8]
12:22:45.843 3 ntkrnlpa.exe[820b06e2] -> nt!IofCallDriver -> [0x84bef928]
12:22:45.855 5 acpi.sys[8044232a] -> nt!IofCallDriver -> [0x84bd1bb0]
12:22:45.856 \Driver\atapi[0x84c1ce78] -> IRP_MJ_CREATE -> 0x85829439
12:22:45.867 Scan finished successfully
12:23:45.323 Disk 0 fixing MBR
12:23:55.326 Disk 0 MBR restored successfully
12:23:55.329 Infection fixed successfully - please reboot ASAP
-
OK thats the MBR bootkit gone, if you could now do OTL I will see what is left ;D
-
I ran OLH, and then OTL as instructed. Runned the wrong scan and tried to cancel it by restarting OTL but I got blue screened and windows had to restart.
Avast alerted me about the \\.\PHYSICALDRIVE0 MBR:TDL file again so I repeated the aswMBR scan but it found nothing.
So I ran OTH and OTL again... Here's what I got [view atachments]
-
Sounds like you may have TDL3 as well as the TDL4
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/PopularScreenSaversFWBInitialSetup1.0.1.0.cab (Reg Error: Key error.)
[2011/02/27 12:53:57 | 000,045,056 | ---- | M] () -- C:\Windows\System32\acovcnt.exe
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
.
THEN
Download ComboFix from one of these locations:
Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-
Here is the log from the OLT Quick scan after reboot. I didn't run OTH with OTL (because I didn't know whether I'd need to run both this time again).
Logs are attached
-
Hi pamzila you forgot to attach the logs ;D
-
Oh dear.. I have the logs of both the OTL.exe and ComboFix.exe but cannot open any application, files or shortcuts (i.e. iexplorer.exe and taskmrg.exe). ComboFix completed it's scan successfully. Would it be safe to restart windows now?
The error notice reads;
Illegal operation attempted on a registry key marked for deletion.
I reckon that I'd still be able to post the logs if I transfer them onto a flash drive (if it's advisable and would not harm the other laptop).
-
Restarted the comp. Here are the logs you requested
-
Intriguing that Combofix reports userinit infected yet the md5 is correct
What are your current problems ?
-
Everything appears to be in order. Sorted! ;D
Thank you for helping out :)
-
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools page
- Select Performance Information and Tools
- Right click Disc cleanup an select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Final stretch
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
For the first run I would recommend a boot defrag and disk check
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Bootdefrag.jpg)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
hello, i was following this post as i am having the same problems. when i ran aswMRB.exe i messed up an clicked on the "other fix option" didnt pay attention to it till it was to late. now windows will not load and it goes to the windows repair screen but it says it cannot repair windows
-
Did you press the fixmbr button ?
What is your operating system ?
-
yes it was fixmrb, windows 7
-
So, was able to fix the MBR by using ubuntu. now i can get back to following the steps (paying a little more attention this time around)
-
Aye if you could run ASWmbr again please, this time no fix as it will cure two different problems but you need to know which is which
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
(http://i1224.photobucket.com/albums/ee362/Essexboy3/ASWMbr1.gif)
Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/ASWMbr2.gif)
On completion of the scan click save log, save it to your desktop and post in your next reply
-
k i have two scans, one before i messed up the mbr and the one after.
-
The latest reports a clean MBR - what problems do you have ?
-
well thats what i was wondering. my avast is shut off and its not letting me turn it back on as well as each time i restart windows my icons are missing, have to rightclick>view>show desktop icons. just got avast going again. going to scan and see if i still have anything show up there.
-
forgot to mention that my svchost.exe is still running at a high cpu (50-75%)
-
Lets have another look see
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop and double-click on it to run it
- Make sure you close all other programs and don't use the PC while the scan runs.
- Select All Users
- Under additional scans select the following
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan
- Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
- When the scan is complete Notepad will open with the report file loaded in it.
- Please attach the log in your next post.
-
k, here is the log for OTS. before i did this i ran avast quick scan and found nothing.
-
OK if there is no resolution after this I will ask you to use process explorer to see what is running under svchost
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2765368391-2768568136-535573203-1000\] > -> HKEY_USERS\S-1-5-21-2765368391-2768568136-535573203-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D7E97865-918F-41E4-9CD0-25AB1C574CE8}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY -> jEgLeFd14000 -> C:\ProgramData\jEgLeFd14000
[File - Lop Check]
NY -> .# -> C:\Users\bubba\AppData\Roaming\.#
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Reboot]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
-
when it finished the scan it says "The system requires a reboot to finish removing files. click yes to reboot the system" should i go ahead and reboot or click the "x" to get a log?
-
No reboot the system a log should appear when it restarts
-
log
-
Are you still getting a high load ?
-
Everything seems to be in order, icons appear on start-up, avast now properly protects on start-up. had to reinstall Firefox to get it to work properly(wouldn't work during or after the issues.) did a windows update, and running a full scan with avast now. To answer your question the processes seem to be running at a normal load now.
so, i guess i own you a big THANK YOU for all your help
-
I'm having the exact same symptoms as pamzilla. So I ran MBR more than once(I'll explain.)
So I downloaded OTH and OTL.
It took several tries with the OTL. I think their website was having trouble. I also downloaded the scan.txt file. I cannot get it to run in otl.
I am posting my scanlogs.
The computer itself seems to be working okay. I'm not really sure what I'm doing. Obviously in the first scan log, I had problems. I had MBR fix the problem.
So Do I run OTL without the file or any ideas? Or am I good?
-
Okay,
I got the scan file to download. So I followed the instructions from there on out. I ran the OTH and OTL with the custom scan. The quick scan probably took 10 minutes. Here are the results.
-
The computer itself seems to be running fine.
Does anyone see anything that alarms them?
Should I do any other scans/steps?
What about uninstall and such?
To be honest I really don't know what I did to fix it, anyone want to elaborate on the programs used and what they did? I just would like to know.
Thanks,
Lucas
-
Lets leave it for a day or so - then when you are happy I will remove my tools
-
So far the computer is working great. Should I do anything else?
Thanks again,
Lucas
-
I would recommend a scan with MBAM and then run OTL and hit the cleanup button. Just delete ASWMbr from the desktop
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.