Hi,
Avast found a Rootkit virus and *win32:Fake Sysdef - A[Trj], but it doens’t delete the rootkit.
I did everything step by step as you said: "Topic: Logs to assist in cleaning malware ", for which thank you very much.
I think I erased (?) *win32:Fake Sysdef - A[Trj], because now I returned back all my shortcuts.
My request to you, is if you can help me to clear my computer completely, before I reinstall it again.
I have done everything: Malwarebytes, OTL, aswMBR, RogueKiller and farbar service scanner, just in case.
I tried and GETxPUD.exe…xpud_0.9.2.iso, burn with BurnCDCC + USB with “dumpit” , but xpud_0.9.2. does not work because there are no drivers for my chipset…, also tried driver.opt …ect. Xorg Drivers…ect. I research the network and still no drivers for my chipset.
I also tried and Microsoft Safety Scanner (64x_msert.exe) and he erase - win32:Fake Sysdef - A[Trj].
I also tried and HitmanPro 3.6 (64-bit) , threats found=0
I have not tried only TDSSKiller!!!
And so after 4 days of reading and fighting I came here.
So now things are:
1.Avast detects the following threat over and over:
In boot scan: NtCreateFile - log Error:0x0000022 {Acces Denied}
In the desktop environment shows: MBR:\.\PHYSICALDRIVE0/Partition4 Alureon-k[Rtk] , normally I have only two / C & D + 100MBSystem Primary Partition /, now I have 4 partition:
PC»Manage»Disk Management» Disk0 Basic 111.79GB:
-(100MB NTFS System Primary Partition OK!)
-(50.05GB ((C:)) Healthy Boot OK!)
-(61.63GB DATA ((D:)) Healthy Primary Partition OK!)
»»» (9MB Unallocated) and (??? 1MB Healthy Active,Primary Partition)««
2.Malwarebytes:
At startup displays an error: " [OpenEvent]Failed to perfom desired action.Error Code:2 "
After the scan is complete: " The scan was completed successfully. No malicious items were detected." (?)
Please help me to clean my computer before I reinstall it again, and who is the most effective way to delete everything on the possible lowest level?
At the time of attack I had connected external SATA WD 1TB HDD , who began to work immediately /led indicator light and noise/ provoked by the virus.I turned off, but I’m not sure if it is infected or not.I scanned with avast deep scan, from infected PC but it says no problems. That was my backup With which program is the best way to scan it?
Now I write from completely healthy PC but I fear to connect my storage in this PC.This computer also have Avast I.S.(I have a license for 3 PC, I remain only one more PC and I think to activate it now to a one old MacBook Pro 2009, which I bought a only a few days, but now I wonder if I have similar problems in this this /mac/ or not? I need security for my online transactions)
Excuse me for my bad English.
Thank you for your time and consideration.
Yours sincerely,
Dimka Peeva
P.S.I have had to convert Text to ANSI. I hope there are no problems.
Malwarebytes Anti-Malware (PRO) 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.25.04
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
PC :: PC-PC [limited]
Protection: Disabled
26-Mar-12 10:04:15 AM
mbam-log-2012-03-26 (10-04-15).txt
Scan type: Flash scan
Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Registry | File System | P2P
Objects scanned: 176070
Time elapsed: 7 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
RogueKiller V7.3.2 [03/20/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: PC [Admin rights]
Mode: Scan – Date: 03/26/2012 10:55:23
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 20 ¤¤¤
[PROXY IE] HKCU[…]\Internet Settings : ProxyServer (87.121.77.17:8080) → FOUND
[HJ] HKLM[…]\System : ConsentPromptBehaviorAdmin (0) → FOUND
[HJ] HKLM[…]\System : EnableLUA (0) → FOUND
[WallPP] HKCU[…]\Desktop : Wallpaper () → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowMyDocs (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowRecentDocs (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowUser (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowMyPics (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowMyGames (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowMyMusic (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowControlPanel (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowHelp (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowPrinters (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowRun (0) → FOUND
[HJ] HKCU[…]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) → FOUND
[HJ] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND
[HJ] HKCU[…]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → FOUND
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND
[HJ] HKCU[…]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND
[HJ] HKCU[…]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) → FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD10EARS-00Y5B1 SCSI Disk Device +++++
— User —
[MBR] 8864e430f9cc1d1fc84b13b019eaf523
[BSP] 63606df43291d30ee5f9c5cc5e7193b0 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo
User = LL1 … OK!
Error reading LL2 MBR!
+++++ PhysicalDrive1: OCZ-VERTEX2 3.5 +++++
— User —
[MBR] 25849e9074d9e371c864862c409fe69b
[BSP] 9a3957633bccc8be40bf957f24262ce6 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 51250 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 105166848 | Size: 63112 Mo
3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 234438656 | Size: 1 Mo
User = LL1 … OK!
User = LL2 … OK!
+++++ PhysicalDrive2: Verbatim STORE N GO USB Device +++++
— User —
[MBR] cd80e670f8a3b324333d5805803ed42c
[BSP] 8334fb291c5c3a1c12ad686dd82b5ffc : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 8192 | Size: 7628 Mo
User = LL1 … OK!
Error reading LL2 MBR!
Finished : << RKreport[1].txt >>
RKreport[1].txt
Sorry but I decided to post only this Malwarebytes log. I have and 6 RKreports if necessary.
// Intel i5-2500K/ 8GB Ram/Asus Maximus IV GENE-Z/ SSD OCZ VERTEX2 SATAII 3.5" 120GB / GTX560i / W7x64 Ultimate Build 7601 SP1 / Avast internet security 7.0.1426 Virus Def. Version 120327-0 / Malwarebytes PRO 1.60.1.1000 PRO //