Avast WEBforum

Other => Viruses and worms => Topic started by: Smirza on March 25, 2011, 11:02:14 AM

Title: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Smirza on March 25, 2011, 11:02:14 AM: Hi,

I have a rootkit which avast! wont delete. Its not being detected in boot time scan. Error comes up when i try to delete. I read some other similar posts about this and downloaded combofix but whenever i try to run it the computer shuts down. Need advise on what to do please. The virus is preventing internet explorer from working too.
Thanks
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Pondus on March 25, 2011, 11:28:08 AM: Download and run aswMBR.exe http://public.avast.com/~gmerek/aswMBR.htm

* Double click the aswMBR.exe to run it
* Click the "Scan" button to start scan
* On completion of the scan click save log, save it to your desktop and post in your next reply
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Smirza on March 25, 2011, 11:44:04 AM: This is what came up. Thanks.

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-25 11:42:30
-----------------------------
11:42:30.662 OS Version: Windows 6.0.6000
11:42:30.662 Number of processors: 2 586 0xE0C
11:42:30.662 ComputerName: SABRIA-PC UserName: Sabria
11:42:34.515 Initialize success
11:42:37.073 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
11:42:37.073 Disk 0 Vendor: Hitachi_ SB4O Size: 152627MB BusType: 3
11:42:37.073 Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskHitachi_HTS541616J9SA00_________________SB4OC7KP#4&1e09ccbe&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:42:37.089 Disk 0 MBR read successfully
11:42:37.089 Disk 0 MBR scan
11:42:37.105 Disk 0 TDL4@MBR code has been found
11:42:37.105 Disk 0 MBR hidden
11:42:37.105 Disk 0 MBR [TDL4] **ROOTKIT**
11:42:37.120 Disk 0 trace - called modules:
11:42:37.120 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86796439]<<
11:42:37.120 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85a26ad8]
11:42:37.136 3 ntkrnlpa.exe[824b07e2] -> nt!IofCallDriver -> [0x84fff6d8]
11:42:37.136 \Driver\iaStor[0x862f1b50] -> IRP_MJ_CREATE -> 0x86796439
11:42:37.151 Scan finished successfully
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Pondus on March 25, 2011, 11:47:11 AM: Quote
11:42:37.105 Disk 0 TDL4@MBR code has been found
11:42:37.105 Disk 0 MBR [TDL4] **ROOTKIT**
Scan again, when done click "FIX" post new log
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Smirza on March 25, 2011, 11:54:01 AM: aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-25 11:52:47
-----------------------------
11:52:47.117 OS Version: Windows 6.0.6000
11:52:47.117 Number of processors: 2 586 0xE0C
11:52:47.117 ComputerName: SABRIA-PC UserName: Sabria
11:52:48.536 Initialize success
11:52:50.611 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
11:52:50.627 Disk 0 Vendor: Hitachi_ SB4O Size: 152627MB BusType: 3
11:52:50.627 Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskHitachi_HTS541616J9SA00_________________SB4OC7KP#4&1e09ccbe&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:52:50.642 Disk 0 MBR read successfully
11:52:50.642 Disk 0 MBR scan
11:52:50.642 Disk 0 TDL4@MBR code has been found
11:52:50.658 Disk 0 MBR hidden
11:52:50.658 Disk 0 MBR [TDL4] **ROOTKIT**
11:52:50.674 Disk 0 trace - called modules:
11:52:50.674 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86796439]<<
11:52:50.689 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85a26ad8]
11:52:50.689 3 ntkrnlpa.exe[824b07e2] -> nt!IofCallDriver -> [0x84fff6d8]
11:52:50.705 \Driver\iaStor[0x862f1b50] -> IRP_MJ_CREATE -> 0x86796439
11:52:50.705 Scan finished successfully
11:52:52.780 Disk 0 fixing MBR
11:53:02.810 Disk 0 MBR restored successfully
11:53:02.810 Infection fixed successfully - please reboot ASAP

should i reboot?
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Pondus on March 25, 2011, 12:10:03 PM: did you click "FIX MBR" or "FIX" ?

Quote
11:53:02.810 Infection fixed successfully - please reboot ASAP
yes reboot

scan again and post new log
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Smirza on March 25, 2011, 12:14:36 PM: I clicked on fix. It's rebooting now.
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Smirza on March 25, 2011, 12:23:05 PM: Can only open in safe mode. Windows keeps shutting down. I ran scan, fix isn't a option only fixmbr. Should I click it?
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Pondus on March 25, 2011, 12:24:50 PM: no just scan and save log and post it
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: doktornotor on March 25, 2011, 12:32:27 PM: While you might not like this answer, I feel it needs to be posted anyway: Infection by rootkit -> game over. Go and reinstall from scratch.

Help: I Got Hacked. Now What Do I Do? (http://technet.microsoft.com/de-de/library/cc512587%28en-us%29.aspx)

Quote
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that.

The guys here do a great job when helping with infections, but in case of rookits, this simply is not enough.
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Pondus on March 25, 2011, 12:35:33 PM: Quote
but in case of rookits, this simply is not enough.
I am not sure Essexboy agree......
The plan is to end this with an OTS log and have him look at it anyway
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Smirza on March 25, 2011, 12:38:38 PM: aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-25 12:20:13
-----------------------------
12:20:13.194 OS Version: Windows 6.0.6000
12:20:13.194 Number of processors: 2 586 0xE0C
12:20:13.194 ComputerName: SABRIA-PC UserName: Sabria
12:20:14.005 Initialize success
12:20:16.298 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
12:20:16.298 Disk 0 Vendor: Hitachi_ SB4O Size: 152627MB BusType: 3
12:20:16.314 Disk 0 MBR read successfully
12:20:16.329 Disk 0 MBR scan
12:20:16.329 Disk 0 scanning sectors +312578048
12:20:16.361 Disk 0 scanning C:\Windows\system32\drivers
12:20:21.275 Service scanning
12:20:23.537 Disk 0 trace - called modules:
12:20:23.583 ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll iaStor.sys
12:20:23.583 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8598e030]
12:20:23.599 3 ntkrnlpa.exe[824b07e2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84fd5030]
12:20:23.599 Scan finished successfully
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Pondus on March 25, 2011, 12:41:11 PM: well that looks clean

Download malwarebytes and run quick scan

Malwarebytes Anti-Malware 1.50.1 http://filehippo.com/download_malwarebytes_anti_malware/
Always Update so you have latest database before you scan
Click the remove selected button to quarantine anything found

Post the scan log
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: doktornotor on March 25, 2011, 12:51:54 PM: MBAM is not particularly good when it comes to rootkits. If anything, I'd suggest Hitman Pro (activate the 30 days trial license if it finds the rootkit). Also, this article covers multiple antirootkit tools: http://www.techrepublic.com/blog/networking/rootkits-is-removing-them-even-possible/736

Anyway, as I already said, I do not believe in disinfecting systems compromised by rootkit.
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Smirza on March 25, 2011, 12:55:51 PM: Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6165

Windows 6.0.6000 (Safe Mode)
Internet Explorer 7.0.6000.17037

25/03/2011 12:52:17
mbam-log-2011-03-25 (12-52-04).txt

Scan type: Quick scan
Objects scanned: 153511
Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 65
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{F244A744-534D-4A46-855F-C0C7E9F27DAA} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{030C9927-10FC-4169-97A2-55BECD5D88D8} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.RprtCtrl.1 (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.RprtCtrl (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3E2DFD6A-4E20-4D4C-AA8B-E1F9DBEF3C80} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButton.1 (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButton (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{714E0876-FCEE-49CE-A429-B9AD8AEFCB56} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButtonA.1 (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButtonA (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbInfoBand.1 (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbInfoBand (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{DD15BCC0-5FE9-4690-A957-99FA60ED9D26} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbAx.1 (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbAx (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{B035BA6B-57CD-4F72-B545-65BE465FCAF6} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{D44FD6F0-9746-484E-B5C4-C66688393872} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{0EB3F101-224A-4B2B-9E5B-DF720857529C} (Adware.ShoppingReport2) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles (Adware.ClickPotato) -> No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles.1 (Adware.ClickPotato) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\Software\ShoppingReport2 (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ResultBar (Adware.ResultBar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport2 (Adware.ShoppingReport2) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Smirza on March 25, 2011, 12:56:19 PM: Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ResultBar (Adware.ResultBar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShoppingReport2 (Adware.Hotbar) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Value: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Value: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qnexayoqane (Trojan.Agent.U) -> Value: Qnexayoqane -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\programdata\resultbar (Adware.ResultBar) -> No action taken.
c:\program files\funwebproducts (Adware.MyWebSearch) -> No action taken.
c:\program files\funwebproducts\screensaver (Adware.MyWebSearch) -> No action taken.
c:\program files\funwebproducts\screensaver\Images (Adware.MyWebSearch) -> No action taken.
c:\program files\mywebsearch (Adware.MyWebSearch) -> No action taken.
c:\program files\mywebsearch\bar (Adware.MyWebSearch) -> No action taken.
c:\program files\mywebsearch\bar\History (Adware.MyWebSearch) -> No action taken.
c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) -> No action taken.
c:\program files\resultbar (Adware.ResultBar) -> No action taken.
c:\program files\shoppingreport2 (Adware.ShoppingReport2) -> No action taken.
c:\program files\shoppingreport2\Bin (Adware.ShoppingReport2) -> No action taken.
c:\program files\shoppingreport2\Bin\2.7.21 (Adware.ShoppingReport2) -> No action taken.

Files Infected:
c:\Users\Sabria\AppData\Local\Temp\srweanxmoc.exe (Adware.Agent) -> No action taken.
c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> No action taken.
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Smirza on March 25, 2011, 01:17:57 PM: i have quarantined all the selected files and rebooted, but i still can only open in safe mode as windows keeps shutting down when opened normally. I get some blue screen with something written and then it shuts down... its too quick for me to read.
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Pondus on March 25, 2011, 01:29:49 PM: OK... i am not sure if you can do this in safe mode, but you may try running OTS and posting the log

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log )

i will notifie Essexboy now so he will look at this when he arrives her in....7-8 hours
may take longer if there is cricket on tv ;D
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Smirza on March 25, 2011, 01:50:11 PM: Hi,

i have scanned OTS and attached. When will i be able to use computer normally?

thanks
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Pondus on March 25, 2011, 01:52:14 PM: you have to wait for essexboy`s advice
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Smirza on March 25, 2011, 01:58:12 PM: Ok thanks for helping anyway.
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: essexboy on March 25, 2011, 07:16:13 PM: Hi this fix may take 10 - 15 minutes as there are a multitude of temporary files, so be patient

When done try to restart - if it blue screens capture as much as you can from the screen

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls] [Registry - Safe List] < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] YN -> {258C9770-1713-4021-8D7E-1F184A2BD754} [HKLM] -> [ShoppingReport2] YN -> {DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> [Java(tm) Plug-In 2 SSV Helper] < Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2436393040-1978007685-914896767-1000\] > -> HKEY_USERS\S-1-5-21-2436393040-1978007685-914896767-1000\Software\Microsoft\Internet Explorer\Toolbar\ YN -> WebBrowser\\"{A057A204-BACC-4D26-C39E-35F1D2A32EC8}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YN -> "MDM" -> ["C:\Program Files\M-Budget\M-Budget Data Manager\LscaGui.exe"] < Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ YN -> {DB38E21A-0133-419d-92AD-ECDFD5244D6D}:{3E2DFD6A-4E20-4d4c-AA8B-E1F9DBEF3C80} [HKLM] -> [Button: ShopperReports - Compare product prices] YN -> {EB620C54-E229-4942-87CE-E717109FC8C6}:{714E0876-FCEE-49ce-A429-B9AD8AEFCB56} [HKLM] -> [Button: ShopperReports - Compare travel rates] [Files - No Company Name] NY -> pkgeuyo.sys -> C:\Windows\System32\drivers\pkgeuyo.sys NY -> temppf.sys -> C:\Windows\System32\temppf.sys [Empty Temp Folders] [EmptyFlash]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Smirza on March 25, 2011, 11:58:49 PM: Hi,

So i did as you said and ran the run fix but after i did that i got a message saying that i must reboot to have the files removed. So i rebooted, no notepad came up, so not sure how to get the log. Also the blue screen still comes up when i try to open windows normally. The blue screen comes up for a split second. the most i can get from it is it says ' a problem has been detected windows is shutting down to avoid delays' its something along those lines. As i said it goes very quickly that im unable to get much for from it. Please let me know what i should do next.

Thank you.
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: doktornotor on March 26, 2011, 12:01:02 AM: The time spent trying to fix the unfixable would have better been used to reinstall your system. You would be done now and would have a system that you can trust.

http://forum.avast.com/index.php?topic=74627.msg618213#msg618213
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Smirza on March 26, 2011, 12:41:44 AM: Is that easier? What does it require?
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: znop on May 25, 2011, 10:36:31 PM: I also contracted the "MBR:\\.\PHYSICALDRIVE0"... I simply downloaded and ran TdssKiller. that seem to work. I haven't heard back from my friend about any further problems :)
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: zeeshanaskari on June 17, 2011, 08:38:47 AM: aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-17 11:32:41
-----------------------------
11:32:41.468 OS Version: Windows 5.1.2600 Service Pack 3
11:32:41.468 Number of processors: 2 586 0x1706
11:32:41.468 ComputerName: ZEESHAN UserName:
11:32:41.937 AVAST engine 6.0.1125 defs: 11061601
11:32:41.937 Initialize success
11:32:44.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
11:32:44.109 Disk 0 Vendor: Intel___ 1.0. Size: 476937MB BusType: 8
11:32:44.109 Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskZeeshan1.0.00__#4&765a36c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:32:44.109 Disk 0 MBR read successfully
11:32:44.109 Disk 0 MBR scan
11:32:44.109 Disk 0 Alureon-C@mbr [Rtk]
11:32:44.109 Disk 0 TDL4@MBR code has been found
11:32:44.109 Disk 0 Windows XP default MBR code found via API
11:32:44.109 Disk 0 MBR hidden
11:32:44.109 Disk 0 MBR [TDL4] **ROOTKIT**
11:32:44.109 Disk 0 trace - called modules:
11:32:44.125 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8abe8555]<<
11:32:44.125 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ab07ab8]
11:32:44.125 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> [0x8913f688]
11:32:44.125 \Driver\iaStor[0x8abe5030] -> IRP_MJ_CREATE -> 0x8abe8555
11:32:44.125 AVAST engine scan C:\WINDOWS\system32
11:34:01.406 Scan finished successfully
11:35:00.843 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
11:35:00.843 The log file has been saved successfully to "C:\aswMBR17JunXI-1.txt"
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: Pondus on June 17, 2011, 09:45:45 AM: @zeeshanaskari

Quote
11:32:44.109 Disk 0 Alureon-C@mbr [Rtk]
11:32:44.109 Disk 0 TDL4@MBR code has been found
11:32:44.109 Disk 0 MBR [TDL4] **ROOTKIT**

*run a new scan and click "fix" then reboot
*after reboot, scan again and click "save log" and post in your next reply
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: tilakv on September 09, 2011, 11:25:41 PM: Hi
I have the same issue as the OP. Please help.
Rootkit virus. Bootime scan finds it, fixes it and when I log into the machine, its back again. Can someone help?
Title: Re: Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0
Post by: DavidR on September 10, 2011, 12:06:33 AM: Go to this topic http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and start your own new topic here http://forum.avast.com/index.php?board=4.0 and attach the logs there, not in the LOGS topic.