avast says I have rootkit. MBR: \\.\PHYSICALDRIVE0

[Shadowkind]

Hi first time here, anyway this is my parents computer. (XP)javascript:void(0); I knew it was having issues, Avira didn't find much so I installed avast, right away the box pops up that tells me it found a root kit, file name - MBR: \\.\PHYSICALDRIVE0 I click delete & avast prompts me to run boot scanner. In boot scan it says "File MBR is infected by Alureon-G@MBR [RTK]" It will finish the boot scan and start the whole proses over again. (Google search in FF has also been randomly redirecting to spam? pages) Thanks in advance for any help!

[essexboy]

Download aswMBR.exe ( 511KB ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply

[Shadowkind]

aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-15 13:33:11
-----------------------------
13:33:11.979    OS Version: Windows 6.0.6000
13:33:11.979    Number of processors: 1 586 0x209
13:33:11.979    ComputerName: COMPUTER-PC  UserName: Computer
13:33:12.416    AVAST engine 6.0.1125 defs: 11061202
13:33:12.416    Initialize success
13:33:35.057    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
13:33:35.073    Disk 0 Vendor: WDC_WD800BB-53DKA0 77.07W77 Size: 76319MB BusType: 3
13:33:37.088    Disk 0 MBR read successfully
13:33:37.088    Disk 0 MBR scan
13:33:37.104    Disk 0 Alureon-G@mbr [Rtk]
13:33:37.104    Disk 0 TDL4@MBR code has been found
13:33:37.119    Disk 0 MBR [TDL4]  **ROOTKIT**
13:33:37.119    Disk 0 scanning C:\Windows\system32\drivers
13:33:50.182    Service scanning
13:33:51.729    Disk 0 trace - called modules:
13:33:51.744    ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
13:33:51.760    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83a38ad8]
13:33:51.776    3 ntoskrnl.exe[818a80af] -> nt!IofCallDriver -> [0x830cf8f0]
13:33:51.807    5 acpi.sys[8047b32a] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x830d1bb0]
13:33:51.823    AVAST engine scan C:\Windows\system32
13:36:06.588    Scan finished successfully
13:37:25.510    Disk 0 MBR has been saved successfully to "G:\MBR.dat"
13:37:27.119    The log file has been saved successfully to "G:\results.txt"

[DavidR]

I don't generally jump in when essexboy is on the job, but his time is limited and you can either wait or continue with the next step having found an MBR Rootkit.

In this case - [TDL4] **ROOTKIT** found:
 

* scan again then click "FIX" and reboot

** after reboot, scan again. then click "Save log" and post it in your next reply.

[Shadowkind]

I rescanned but I can't click fix, only fixMBR. That ok?

[essexboy]

Run a fresh aswMBR scan please and post the log ..  Avast may have cured it if you have rebooted

[Shadowkind]

Here's the rescan

aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-15 14:18:37
-----------------------------
14:18:37.114    OS Version: Windows 6.0.6000
14:18:37.114    Number of processors: 1 586 0x209
14:18:37.114    ComputerName: COMPUTER-PC  UserName: Computer
14:18:37.489    AVAST engine 6.0.1125 defs: 11061202
14:18:37.489    Initialize success
14:18:41.411    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:18:41.411    Disk 0 Vendor: WDC_WD800BB-53DKA0 77.07W77 Size: 76319MB BusType: 3
14:18:43.427    Disk 0 MBR read successfully
14:18:43.427    Disk 0 MBR scan
14:18:43.442    Disk 0 Alureon-G@mbr [Rtk]
14:18:43.442    Disk 0 TDL4@MBR code has been found
14:18:43.458    Disk 0 MBR [TDL4]  **ROOTKIT**
14:18:43.458    Disk 0 scanning C:\Windows\system32\drivers
14:18:53.333    Service scanning
14:18:54.817    Disk 0 trace - called modules:
14:18:54.833    ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
14:18:54.849    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83a38ad8]
14:18:54.849    3 ntoskrnl.exe[818a80af] -> nt!IofCallDriver -> [0x830cf8f0]
14:18:54.880    5 acpi.sys[8047b32a] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x830d1bb0]
14:18:54.896    AVAST engine scan C:\Windows\system32
14:21:13.161    Scan finished successfully
14:22:07.906    Disk 0 MBR has been saved successfully to "G:\MBR.dat"
14:22:09.516    The log file has been saved successfully to "G:\aswMBR.txt"

[Shadowkind]

One thing is different from your snapshots. On my screen under "Trace disk IO calls" a box is checked that says "Use avast engine" Not sure if that makes any difference...

[DavidR]

The image may relate to an earlier aswMBR version as the latest version now incorporates a short avast scan of system32 and drivers folders.

See image I did of a clean scan on my system.

[essexboy]

That is correct it scans other areas using Avast engine

Please read carefully and follow these steps.  

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[Shadowkind]

Ok guys I'll download that & run it. Have to run to work now but I'll post that log as soon as I get home. Thank you both for your help so far!!

[Shadowkind]

So after reboot avast didn't pop up a warning box. So far so good! Here's the TDSSkiller log.

[essexboy]

What problems remain

[Shadowkind]

Sorry I was gone for awhile. I thought everything was fine but now a box keeps poping up saying -
"An unauthorized change was made to windows
 You will no longer receive notifications, including those about your license or activation. Use the link below to find out how to fix your system.
Error: 0xC004D401
Description: The security processor reported a system file mismatch error.

Learn more online"

Again, sorry about not getting back sooner.

[Shadowkind]

Other than that box that keeps popping up everything seems fine, except after it pops up you can't print anything.