hi newbie here

[grunge94]

hi i have the PHYSICALDRIVE0 / ROOTKIT problem i was looking for help resovling the issue ... i see other threads related here can i just follow the actions on there or is each one specific and unique

thanks

[Pondus]

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here and not in the guide )


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log - OTL log - aswMBR log ) save OTL log as ANSI

Essexboy will look at the logs when he arrive here later today......

[grunge94]

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7593

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

28/08/2011 11:08:59
mbam-log-2011-08-28 (11-08-58).txt

Scan type: Quick scan
Objects scanned: 156614
Time elapsed: 8 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\user\local settings\Temp\ptu747_tmp.exe (PUP.Casino) -> Not selected for removal.

[essexboy]

If you post the remaining logs I will check them out

[grunge94]

heres the two files required .. i think

[grunge94]

sorry i think ive forgotten the aswMBR log .. it is currently scanning .. will post asap .. thanks

[grunge94]

heres the log

[Pondus]

13:17:32.562    Disk 0 MBR:Whistler-C [Rtk]
13:17:32.578    Disk 0 Whistler@MBR code has been found
13:17:32.578    Disk 0 MBR [Whistler]  **ROOTKIT**

run aswMBR and scan again, then click FixMBR and reboot when the program is finish

after reboot, scan again, click save log and post it in next reply

[essexboy]

What Pondus said but with pretty pictures 

Re-Run aswMBR

Click Scan

On completion of the scanClick the FIXMBR Button




Save the log as before and post in your next reply

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O4 - HKU\S-1-5-21-1844237615-1659004503-1644491937-1004..\Run: [NwiQiuwu] File not found
  O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\user\Local Settings\Application Data\ftqexrne\nwiqiuwu.exe) - File not found
  [2011/08/19 22:45:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\ftqexrne
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Mr.Agent]

essex be sure to verify that file that he did not select for remove > c:\documents and settings\user\local settings\Temp\ptu747_tmp.exe (PUP.Casino) -> Not selected for removal.

He dont removed appearing to his MBAM.

[grunge94]

heres the new log ... p.s after reboot before new scan avast popped up finding whistler with the option to ignore

thanks for your help so far

[essexboy]

OTL clear temp will have killed that

What problems do you have at the moment ?

[grunge94]

It has blocked my wireless internet i have to run pc directly off hub

[essexboy]

OK lets ensure that I killed it all

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

 IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[grunge94]

sorry ive got to go out .. women !!! ill continue this again shortly .. thanks for help so far again to all