Rootkit: hidden boot sector

[essexboy]

OK it is reporting TDL4 which is the version which can be cure by pressing the fix button, remember not to press the fixmbr this time

Once done could you then post the resultant log plus

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
  
• Select All Users
  
• Under additional scans select the following

Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

[Adambrix]

Sorry it won't let me just press just fix as it is greyed out and nothing happens when I press it!!??

[essexboy]

OK that is intriguing lets use a diiferent tool.  On your desktop you should have an MBR.dat file - could you right click and scan that with Avast.  It should put it in the chest.  Once done go to the chest right click the file and select send to virus labs

 Please read carefully and follow these steps. 

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[Adambrix]

Tds log is back a couple of posts, would you like me to do it again?

[essexboy]

Yes please - this may be a new variant requiring a different method of attack

[Adambrix]

Here you go.

[essexboy]

OK it said it was cured.  So a quick check - we will use ASWmbr as it is faster

Run and post the log please

Then

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[Adambrix]

Here we go

[essexboy]

Hmm it must be a new variant as Combofix is not detecting it at all

What is the make of your computer i.e. Dell HP

[Adambrix]

I built it myself! Asus motherboard (PQ5-EM), Q6600 CPU.ATI5770 GPU.

[essexboy]

OK lets use the AVP tool analyser as I will need to see if there is a respawner hiding

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.



Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder  then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

[Adambrix]

Here's the first report, it stopped checking after this came up? other to follow.

[Adambrix]

The forum won't let me send a zip file for the manual disinfection report?

[essexboy]

Sorry forgot about that

Looks like the only copy of the TDSS it found was in the backup copy of ASWmbr
Detected: Rootkit.Win32.TDSS.mbr   C:\Users\Fray Bentos\Desktop\MBR.dat

upload the zip to Mediafire and post the sharing link please.

[Adambrix]

http://www.mediafire.com/?1taab47nwnkt8g1

Here you go sir.