Can't delete MBR: \\.\physicaldrive0 rootkit name hidden boot sector

[NESS0822]

Hello...
Avast found a rootkit on my scan and I tried to delete it but avast won't do anything. I also ran a boottime scan and it is not found there....I found a post where it suggested downloading aswmbr and I did and all it says is that it found malicious activity and shuts down windows and it keeps restarting...any ideas or help please!

[Left123]

Hello,

download and run aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
Download
Run
Scan
Post the log please.

Regards
Philip

[NESS0822]

Hi..
I already downloaded the aswMBR and when I go to run it my laptop shuts down and I cannot run it at all! Not sure what to do with that....

[Dwarden]

NESS0822 it shut down just when you try run it or after You click at Scan ?

if it's after you click at Scan
then please un-check first the "Trace I/O calls" and then click Scan

[NESS0822]

Dwarden...It shuts down after I click scan. I also tried what you suggested and even after I un-clicked "Trace disk IO calls"...I just get a blue screen and it shuts down!

[NESS0822]

So I downloaded the TDSSKiller and also OTS Program. I ran the TDSSKiller and it found the threat and I selected "Cure" and rebooted as it instructed....then I ran the OTS, I will post the log that it came up with and hopefully someone can tell me if it seems to be gone?! Thank you for your help!

[NESS0822]

[Processes - Safe List]
ots.exe -> C:\Users\hp\Desktop\OTS.exe -> [2011/06/01 08:56:38 | 000,645,632 | ---- | M] (OldTimer Tools)
avastui.exe -> C:\Program Files\Alwil Software\Avast5\AvastUI.exe -> [2011/05/10 06:10:58 | 003,459,712 | ---- | M] (AVAST Software)
pdvddxsrv.exe -> C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe -> [2009/02/04 22:26:38 | 000,128,232 | ---- | M] (CyberLink Corp.)
 
[Modules - Safe List]
ots.exe -> C:\Users\hp\Desktop\OTS.exe -> [2011/06/01 08:56:38 | 000,645,632 | ---- | M] (OldTimer Tools)
snxhk.dll -> C:\Program Files\Alwil Software\Avast5\snxhk.dll -> [2011/05/10 06:10:55 | 000,199,792 | ---- | M] (AVAST Software)
comctl32.dll -> C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll -> [2010/08/31 09:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation)
 
[Win32 Services - Safe List]
64bit-(avast! Antivirus)  [Auto | Running] -> C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -> [2011/05/10 06:10:57 | 000,042,184 | ---- | M] (AVAST Software)
64bit-(wlcrasvc)  [Disabled | Stopped] -> C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -> [2010/09/22 19:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation)
64bit-(hpsrv)  [Auto | Running] -> C:\Windows\SysNative\Hpservice.exe -> [2010/07/16 16:03:58 | 000,030,520 | ---- | M] (Hewlett-Packard Company)
64bit-(AgereModemAudio)  [Auto | Running] -> C:\Program Files\LSI SoftModem\agr64svc.exe -> [2008/08/26 20:02:20 | 000,016,896 | ---- | M] (Agere Systems)
64bit-(AppMgmt)  [On_Demand | Stopped] -> C:\Windows\SysNative\appmgmts.dll -> [2008/01/20 20:49:41 | 000,195,584 | ---- | M] (Microsoft Corporation)
64bit-(WinDefend)  [Auto | Running] -> C:\Program Files\Windows Defender\MpSvc.dll -> [2008/01/20 20:45:48 | 000,383,544 | ---- | M] (Microsoft Corporation)
(clr_optimization_v4.0.30319_32) Microsoft .NET Framework NGEN v4.0.30319_X86 [Auto | Stopped] -> C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -> [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation)
(clr_optimization_v2.0.50727_32) Microsoft .NET Framework NGEN v2.0.50727_X86 [Disabled | Stopped] -> C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2009/03/29 22:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation)
(PLFlash DeviceIoControl Service) PLFlash DeviceIoControl Service [Auto | Running] -> C:\Windows\SysWOW64\IoctlSvc.exe -> [2006/12/19 11:30:26 | 000,081,920 | ---- | M] (Prolific Technology Inc.)
 
[Driver Services - Safe List]
64bit-(aswMonFlt) aswMonFlt [File_System | Auto | Running] -> C:\Windows\SysNative\drivers\aswMonFlt.sys -> [2011/05/10 05:59:48 | 000,064,344 | ---- | M] (AVAST Software)
64bit-(BCM43XX) Broadcom 802.11 Network Adapter Driver [Kernel | On_Demand | Running] -> C:\Windows\SysNative\DRIVERS\bcmwl664.sys -> [2011/02/12 15:29:16 | 003,060,800 | ---- | M] (Broadcom Corporation)
64bit-(fssfltr) fssfltr [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\DRIVERS\fssfltr.sys -> [2010/09/23 01:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation)
64bit-(hpdskflt) HP Filter [Kernel | Boot | Running] -> C:\Windows\SysNative\DRIVERS\hpdskflt.sys -> [2010/07/16 16:04:04 | 000,030,008 | ---- | M] (Hewlett-Packard Company)
64bit-(Accelerometer) HP Mobile Data Protection Sensor [Kernel | On_Demand | Running] -> C:\Windows\SysNative\DRIVERS\Accelerometer.sys -> [2010/07/16 16:03:48 | 000,043,320 | ---- | M] (Hewlett-Packard Company)
64bit-(GEARAspiWDM) GEAR ASPI Filter Driver [Kernel | On_Demand | Running] -> C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -> [2009/05/18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.)
64bit-(AgereSoftModem) Agere Systems Soft Modem [Kernel | On_Demand | Running] -> C:\Windows\SysNative\DRIVERS\agrsm64.sys -> [2008/11/21 23:05:22 | 001,253,376 | ---- | M] (Agere Systems)
64bit-(igfx) igfx [Kernel | On_Demand | Running] -> C:\Windows\SysNative\DRIVERS\igdkmd64.sys -> [2008/10/27 17:33:30 | 008,039,808 | ---- | M] (Intel Corporation)
64bit-(IntcHdmiAddService) Intel(R) High Definition Audio HDMI [Kernel | On_Demand | Running] -> C:\Windows\SysNative\drivers\IntcHdmi.sys -> [2008/09/21 14:49:58 | 000,126,464 | ---- | M] (Intel(R) Corporation)
64bit-(RTL8169) Realtek 8169 NT Driver [Kernel | On_Demand | Running] -> C:\Windows\SysNative\DRIVERS\Rtlh64.sys -> [2008/08/06 01:26:08 | 000,174,592 | ---- | M] (Realtek Corporation                                            )
64bit-(Ntfs) Ntfs [File_System | On_Demand | Running] -> C:\Windows\SysNative\Wbem\ntfs.mof -> [2006/09/18 15:36:24 | 000,000,308 | ---- | M] ()
[Registry - Safe List]
< 64bit-Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> C:\Windows\SysWOW64\blank.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.google.com/ ->
HKEY_CURRENT_USER\: Main\\"Start Page Redirect Cache" -> http://www.msn.com/ ->
HKEY_CURRENT_USER\: Main\\"Start Page Redirect Cache AcceptLangs" -> en-us ->
HKEY_CURRENT_USER\: Main\\"Start Page Redirect Cache_TIMESTAMP" -> 29 14 37 05 06 CB CB 01  [binary data] ->
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
HKEY_CURRENT_USER\: "ProxyOverride" -> *.local ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  ->
< FireFox Extensions [User Folders] > ->
< HOSTS File > ([2006/09/18 15:37:24 | 000,000,761 | ---- | M] - 20 lines) -> C:\Windows\SysNative\Drivers\etc\hosts ->

[Left123]

Attach tdss log please.Can you run aswMBR in safe mode?