Hi first time here, anyway this is my parents computer. (XP)javascript:void(0); I knew it was having issues, Avira didn’t find much so I installed avast, right away the box pops up that tells me it found a root kit, file name - MBR: \.\PHYSICALDRIVE0 I click delete & avast prompts me to run boot scanner. In boot scan it says “File MBR is infected by Alureon-G@MBR [RTK]” It will finish the boot scan and start the whole proses over again. (Google search in FF has also been randomly redirecting to spam? pages) Thanks in advance for any help!
Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the “Scan” button to start scan
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply
aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-15 13:33:11
13:33:11.979 OS Version: Windows 6.0.6000
13:33:11.979 Number of processors: 1 586 0x209
13:33:11.979 ComputerName: COMPUTER-PC UserName: Computer
13:33:12.416 AVAST engine 6.0.1125 defs: 11061202
13:33:12.416 Initialize success
13:33:35.057 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
13:33:35.073 Disk 0 Vendor: WDC_WD800BB-53DKA0 77.07W77 Size: 76319MB BusType: 3
13:33:37.088 Disk 0 MBR read successfully
13:33:37.088 Disk 0 MBR scan
13:33:37.104 Disk 0 Alureon-G@mbr [Rtk]
13:33:37.104 Disk 0 TDL4@MBR code has been found
13:33:37.119 Disk 0 MBR [TDL4] ROOTKIT
13:33:37.119 Disk 0 scanning C:\Windows\system32\drivers
13:33:50.182 Service scanning
13:33:51.729 Disk 0 trace - called modules:
13:33:51.744 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
13:33:51.760 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x83a38ad8]
13:33:51.776 3 ntoskrnl.exe[818a80af] → nt!IofCallDriver → [0x830cf8f0]
13:33:51.807 5 acpi.sys[8047b32a] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x830d1bb0]
13:33:51.823 AVAST engine scan C:\Windows\system32
13:36:06.588 Scan finished successfully
13:37:25.510 Disk 0 MBR has been saved successfully to “G:\MBR.dat”
13:37:27.119 The log file has been saved successfully to “G:\results.txt”
I don’t generally jump in when essexboy is on the job, but his time is limited and you can either wait or continue with the next step having found an MBR Rootkit.
In this case - [TDL4] ROOTKIT found:
http://public.avast.com/~gmerek/aswMBR3.png
- scan again then click “FIX” and reboot
** after reboot, scan again. then click “Save log” and post it in your next reply.
I rescanned but I can’t click fix, only fixMBR. That ok?
Run a fresh aswMBR scan please and post the log … Avast may have cured it if you have rebooted
Here’s the rescan
aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-15 14:18:37
14:18:37.114 OS Version: Windows 6.0.6000
14:18:37.114 Number of processors: 1 586 0x209
14:18:37.114 ComputerName: COMPUTER-PC UserName: Computer
14:18:37.489 AVAST engine 6.0.1125 defs: 11061202
14:18:37.489 Initialize success
14:18:41.411 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
14:18:41.411 Disk 0 Vendor: WDC_WD800BB-53DKA0 77.07W77 Size: 76319MB BusType: 3
14:18:43.427 Disk 0 MBR read successfully
14:18:43.427 Disk 0 MBR scan
14:18:43.442 Disk 0 Alureon-G@mbr [Rtk]
14:18:43.442 Disk 0 TDL4@MBR code has been found
14:18:43.458 Disk 0 MBR [TDL4] ROOTKIT
14:18:43.458 Disk 0 scanning C:\Windows\system32\drivers
14:18:53.333 Service scanning
14:18:54.817 Disk 0 trace - called modules:
14:18:54.833 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
14:18:54.849 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x83a38ad8]
14:18:54.849 3 ntoskrnl.exe[818a80af] → nt!IofCallDriver → [0x830cf8f0]
14:18:54.880 5 acpi.sys[8047b32a] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x830d1bb0]
14:18:54.896 AVAST engine scan C:\Windows\system32
14:21:13.161 Scan finished successfully
14:22:07.906 Disk 0 MBR has been saved successfully to “G:\MBR.dat”
14:22:09.516 The log file has been saved successfully to “G:\aswMBR.txt”
One thing is different from your snapshots. On my screen under “Trace disk IO calls” a box is checked that says “Use avast engine” Not sure if that makes any difference…
The image may relate to an earlier aswMBR version as the latest version now incorporates a short avast scan of system32 and drivers folders.
See image I did of a clean scan on my system.
That is correct it scans other areas using Avast engine
Please read carefully and follow these steps.
[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png
[*]If an infected file is detected, the default action will be Cure, click on Continue.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png
[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.
Ok guys I’ll download that & run it. Have to run to work now but I’ll post that log as soon as I get home. Thank you both for your help so far!!
So after reboot avast didn’t pop up a warning box. So far so good! Here’s the TDSSkiller log.
What problems remain
Sorry I was gone for awhile. I thought everything was fine but now a box keeps poping up saying -
"An unauthorized change was made to windows
You will no longer receive notifications, including those about your license or activation. Use the link below to find out how to fix your system.
Error: 0xC004D401
Description: The security processor reported a system file mismatch error.
Learn more online"
Again, sorry about not getting back sooner.
Other than that box that keeps popping up everything seems fine, except after it pops up you can’t print anything.
Could you update to service pack 1/2 and let me know if the error persists please