Redirect virus/ rootkit/ scvhost.exe threat dectected

[pamzila]

Hello I'm new to the forums and I'm hopping that someone can help me with this problem I'm having.

I recently borrowed my boyfriends laptop when I noticed that it was behaving strange so I ran a system scan which revealed a virus (or rootkit) called MBR:\\PHYSICALDRIVE0 and then prompted me to delete now and run a boot scan. Avast now continually prompts me to delete the 'rootkit' and run a boot scan every time the laptop is switched on.

Avast also detected svchost.exe as a threat a number of times whilst I was using it and the internet browser redirects Google searches constantly. Recently downloaded OTL.exe from http://forum.avast.com/index.php?topic=66698.0 but windows is  not allowing me to open the program on the laptop even in safe mode. The Error message for that reads;
"Windows cannot access the specified device, path, or file.  You may not have the appropriate permissions to access the item".

Now that laptop is being sluggish to load up, not loading the taskbar, desktop image or desktop shortcuts (but I can still access files by running them from Task Manager.
I have been trying to repair the problem myself but there appears to be more than one thing going.
Somebody please help!

Thank you forum!

[essexboy]

Hi there let me see what you have

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it


Click the "Scan" button to start scan


Click the "Fix" in case of infection


Save the aswMBR.log to the desktop.  Then post the log in your next reply


THEN

Then try this, if it fails go to Plan B

 Note: If using Firefox right-click on any download links and choose Save As

Please download OTH to your desktop
Please download OTL  to your desktop
Please download the attached file Scan.txt to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.



Then select Start OTL. OTL will now run

• Double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
  Select Scan.txt that you downloaded
  
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
• Click the Internet Explorer button, post these logs in your Virus Removal topic.
  

Plan B

Download Rkill from here : there are several flavours to choose from, if one does not work then try the next

* rkill.com
* rkill.scr
* rkill.pif


Once it is downloaded, double-click on rkill in order to automatically attempt to stop any processes associated with Security Central and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Central when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Central . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of my instructions.

Do not reboot your computer after running rkill as the malware programs will start again.

Then run OTL as above

[pamzila]

I had to unblock the executable to get it going

Here's what aswMBR.exe found

aswMBR version 0.9.2 Copyright(c) 2011 avast! Software
Run date: 2011-02-27 12:22:24
-----------------------------
12:22:24.957    OS Version: Windows 6.0.6000
12:22:24.957    Number of processors: 2 586 0xE0C
12:22:24.960    ComputerName: BAZZATRON-PC  UserName: Bazza
12:22:26.192    Initialize success
12:22:43.754    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
12:22:43.754    Disk 0 Vendor: FUJITSU_MHY2200BH 0000000B Size: 190782MB BusType: 3
12:22:43.769    Disk 1  \Device\Harddisk1\DR1 -> \Device\00000065
12:22:43.770    Disk 1 Vendor: Generic- 1.00 Size: 190782MB BusType: 7
12:22:43.775    Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskFUJITSU_MHY2200BH_______________________0000000B#5&f975f34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
12:22:45.784    Disk 0 MBR read successfully
12:22:45.785    Disk 0 MBR scan
12:22:45.792    Disk 0 TDL4@MBR code has been found
12:22:45.800    Disk 0 MBR hidden
12:22:45.807    Disk 0 MBR [TDL4]  **ROOTKIT**
12:22:45.824    Disk 0 trace - called modules:
12:22:45.826    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85829439]<<
12:22:45.842    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85291ad8]
12:22:45.843    3 ntkrnlpa.exe[820b06e2] -> nt!IofCallDriver -> [0x84bef928]
12:22:45.855    5 acpi.sys[8044232a] -> nt!IofCallDriver -> [0x84bd1bb0]
12:22:45.856    \Driver\atapi[0x84c1ce78] -> IRP_MJ_CREATE -> 0x85829439
12:22:45.867    Scan finished successfully
12:23:45.323    Disk 0 fixing MBR
12:23:55.326    Disk 0 MBR restored successfully
12:23:55.329    Infection fixed successfully - please reboot ASAP

[essexboy]

OK thats the MBR bootkit gone, if you could now do OTL I will see what is left 

[pamzila]

I ran OLH, and then OTL as instructed. Runned the wrong scan and tried to cancel it by restarting OTL but I got blue screened and windows had to restart.
Avast alerted me about the \\.\PHYSICALDRIVE0 MBR:TDL file again so I repeated the aswMBR scan but it found nothing.
So I ran OTH and OTL again... Here's what I got [view atachments]

[essexboy]

Sounds like you may have TDL3 as well as the TDL4

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/PopularScreenSaversFWBInitialSetup1.0.1.0.cab (Reg Error: Key error.)
  [2011/02/27 12:53:57 | 000,045,056 | ---- | M] () -- C:\Windows\System32\acovcnt.exe
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

.
THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[pamzila]

Here is the log from the OLT Quick scan after reboot. I didn't run OTH with OTL (because I didn't know whether I'd need to run both this time again).

Logs are attached

[essexboy]

Hi pamzila you forgot to attach the logs 

[pamzila]

Oh dear.. I have the logs of both the OTL.exe and ComboFix.exe but cannot open any application, files or shortcuts (i.e. iexplorer.exe and taskmrg.exe). ComboFix completed it's scan successfully. Would it be safe to restart windows now?

The error notice reads;

Illegal operation attempted on a registry key marked for deletion.

I reckon that I'd still be able to post the logs if I transfer them onto a flash drive (if it's advisable and would not harm the other laptop).

[pamzila]

Restarted the comp. Here are the logs you requested

[essexboy]

Intriguing that Combofix reports userinit infected yet the md5 is correct

What are your current problems ?

[pamzila]

Everything appears to be in order. Sorted! 
Thank you for helping out 

[essexboy]

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Commands
  [resethosts]
  [purity]
  [emptytemp]
  [EMPTYFLASH]
  [Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.   

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

SPRING CLEAN

To manually create a new Restore Point

• Go to Control Panel and select System
  
• Select System
  
• On the left select System Protection and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
• Select Create

Now we can purge the infected ones

• GoStart > All programs > Accessories > system tools page
  
• Select Performance Information and Tools
  
• Right click Disc cleanup an select run as administrator
  
• Select Your main drive and accept the warning if you get one
  
• For a few moments the system will make some calculations
• Select the More Options tab
  
• In the System Restore and Shadow Backups select Clean up
  
• Select Delete on the pop up
  
• Select OK
• Select Delete

Final stretch

 
Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check




Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
 
Malwarebytes.  Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update
  

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?
Keep safe  :wave:

[alt21nat22]

hello, i was following this post as i am having the same problems. when i ran aswMRB.exe i messed up an clicked on the "other fix option" didnt pay attention to it till it was to late. now windows will not load and it goes to the windows repair screen but it says it cannot repair windows

[essexboy]

Did you press the fixmbr button ?

What is your operating system ?