[RESOLVED] Rootkit infection detected... :(

[Pony_Girl]

Hello, newbie here. =)

I appear to be having the same problem as described in this thread:
http://forum.avast.com/index.php?topic=36318.0

Here is a screen shot of the Avast! alert:


After displaying this alert, Avast! then instructs me to delete the file, so of course I click "OK" to let Avast! do what it's told me to do, Avast! then instructs me to run a computer scan, of course I do this - the computer scan says zero infected files, Avast! keeps flagging up this possible rootkit thing and repeats it's instructions to delete then run a scan.

If it helps, the antivirus I'm currently using is the downloaded Avast! Free Antivirus.

I am at a complete loss as to what to do as I don't know much about this stuff.

Thank-you all who read this for your time and interest, it's greatly appreciated. Best wishes and kind regards.
Any help and advice would be greatly appreciated, just please bear in mind I'm not all that familiar with technical terms and this area of computing in general.

[Tgell]

If avast! can not get rid of the rootkit, try Dr. Web Cureit. Do the express scan. It is very good at cleaning mbr rootkits.

http://www.freedrweb.com/cureit/?lng=en

Another that will cure an mbr rootkit would be Prevx.

http://info.prevx.com/downloadcsi.asp

[marc-d-l]

You could also try F-Secure black light.It's easy to use, small.and does the job

[xqrzd]

you probably have TDL4 rootkit, try running a scan with TDSS Killer:http://support.kaspersky.com/viruses/solutions?qid=208280684

[nmb]

Hello Pony_Girl,

I will notify essexboy, the malware expert. He will be here by 08:00pm - 11:59pm UK time

[gmer]

@Pony_Girl

Please take a look at the file:

C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\log\aswAr.log

In case of TDL infection you should see :

avast! Antirootkit, version 1.0
Scan started: Tuesday, February 01, 2011 10:03:42 AM

Process  [4]
...
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6Y120P0__________________________YAR41BW0#335930334d57455920#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
Device \Driver\atapi -> DriverStartIo 816b7abf
Disk 0 MBR [TDL4]  **ROOTKIT**

Thanks

[Pony_Girl]

@ All who've kindly taken the time to read and respond to my thread: Thank-you. =)
It's annoying knowing this problem probably is what I think it is, but at least now I know what it could be I can get round to getting it sorted and find something suitable to protect the computer from it in the future. =)

@ gmr:
On your latest post in this thread... Would I be wrong in assuming that what you're instructing me to do is in order to determine wether or not this is a TDL infection? Just curious.

[gmer]

Please send your aswAr.log file to: gmerek(at)avast.com

[essexboy]

Hi GMER does this also detect whistler ?   

[gmer]

Hi essexboy,

Yes, AVAST can detect most of MBR rootkits.

Alureon@mbr
Sinowal@mbr
Whistler@mbr

[essexboy]

Ta 

Any progress on the cleaning front ?   Although even TDSSKiller and Combofix are finding it hard to clear the latest variant

[gmer]

@essexboy

here is something you might like to check out

http://public.avast.com/~gmerek/aswMBR.htm

any feedback or comments are welcome

[essexboy]

Guess what - I will use this tool at the next available opportunity.   Is this for general release or currently under test ?

EDIT: Win7 64bit run as admin

aswMBR version 0.9 Copyright(c) 2010 avast! Software
Run date: 2011-02-01 21:15:26
-----------------------------
21:15:26.894    OS Version: Windows x64 6.1.7600
21:15:26.894    Number of processors: 2 586 0x4B02
21:15:26.894    ComputerName: MARTIN-PC  UserName: Martin
21:15:27.752    Initialze error - driver not loaded

I will try on my winxp vm next

[essexboy]

Works on 32 bit systems 

[gmer]

@essexboy, this tool is avalible for avast! community

it works on x64 however its driver is not signed yet

to run it on x64 you must "Disable Driver Signature Enforcement" (press F10 before the OS starts)