Avast! wont delete rootkit - File name MBR://./PHYSICALDRIVE0

Hi,

I have a rootkit which avast! wont delete. Its not being detected in boot time scan. Error comes up when i try to delete. I read some other similar posts about this and downloaded combofix but whenever i try to run it the computer shuts down. Need advise on what to do please. The virus is preventing internet explorer from working too.
Thanks

Download and run aswMBR.exe http://public.avast.com/~gmerek/aswMBR.htm

  • Double click the aswMBR.exe to run it
  • Click the “Scan” button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply

This is what came up. Thanks.

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-25 11:42:30

11:42:30.662 OS Version: Windows 6.0.6000
11:42:30.662 Number of processors: 2 586 0xE0C
11:42:30.662 ComputerName: SABRIA-PC UserName: Sabria
11:42:34.515 Initialize success
11:42:37.073 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\iaStor0
11:42:37.073 Disk 0 Vendor: Hitachi_ SB4O Size: 152627MB BusType: 3
11:42:37.073 Device \Device\Ide\IAAStorageDevice-0 → ??\IDE#DiskHitachi_HTS541616J9SA00_________________SB4OC7KP#4&1e09ccbe&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:42:37.089 Disk 0 MBR read successfully
11:42:37.089 Disk 0 MBR scan
11:42:37.105 Disk 0 TDL4@MBR code has been found
11:42:37.105 Disk 0 MBR hidden
11:42:37.105 Disk 0 MBR [TDL4] ROOTKIT
11:42:37.120 Disk 0 trace - called modules:
11:42:37.120 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86796439]<<
11:42:37.120 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85a26ad8]
11:42:37.136 3 ntkrnlpa.exe[824b07e2] → nt!IofCallDriver → [0x84fff6d8]
11:42:37.136 \Driver\iaStor[0x862f1b50] → IRP_MJ_CREATE → 0x86796439
11:42:37.151 Scan finished successfully

11:42:37.105 Disk 0 TDL4@MBR code has been found 11:42:37.105 Disk 0 MBR [TDL4] **ROOTKIT**
Scan again, when done click "FIX" post new log

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-25 11:52:47

11:52:47.117 OS Version: Windows 6.0.6000
11:52:47.117 Number of processors: 2 586 0xE0C
11:52:47.117 ComputerName: SABRIA-PC UserName: Sabria
11:52:48.536 Initialize success
11:52:50.611 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\iaStor0
11:52:50.627 Disk 0 Vendor: Hitachi_ SB4O Size: 152627MB BusType: 3
11:52:50.627 Device \Device\Ide\IAAStorageDevice-0 → ??\IDE#DiskHitachi_HTS541616J9SA00_________________SB4OC7KP#4&1e09ccbe&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
11:52:50.642 Disk 0 MBR read successfully
11:52:50.642 Disk 0 MBR scan
11:52:50.642 Disk 0 TDL4@MBR code has been found
11:52:50.658 Disk 0 MBR hidden
11:52:50.658 Disk 0 MBR [TDL4] ROOTKIT
11:52:50.674 Disk 0 trace - called modules:
11:52:50.674 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86796439]<<
11:52:50.689 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85a26ad8]
11:52:50.689 3 ntkrnlpa.exe[824b07e2] → nt!IofCallDriver → [0x84fff6d8]
11:52:50.705 \Driver\iaStor[0x862f1b50] → IRP_MJ_CREATE → 0x86796439
11:52:50.705 Scan finished successfully
11:52:52.780 Disk 0 fixing MBR
11:53:02.810 Disk 0 MBR restored successfully
11:53:02.810 Infection fixed successfully - please reboot ASAP

should i reboot?

did you click “FIX MBR” or “FIX” ?

11:53:02.810 Infection fixed successfully - please reboot ASAP
yes reboot

scan again and post new log

I clicked on fix. It’s rebooting now.

Can only open in safe mode. Windows keeps shutting down. I ran scan, fix isn’t a option only fixmbr. Should I click it?

no just scan and save log and post it

While you might not like this answer, I feel it needs to be posted anyway: Infection by rootkit → game over. Go and reinstall from scratch.

Help: I Got Hacked. Now What Do I Do?

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that.

The guys here do a great job when helping with infections, but in case of rookits, this simply is not enough.

but in case of rookits, this simply is not enough.
I am not sure Essexboy agree...... The plan is to end this with an OTS log and have him look at it anyway

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-25 12:20:13

12:20:13.194 OS Version: Windows 6.0.6000
12:20:13.194 Number of processors: 2 586 0xE0C
12:20:13.194 ComputerName: SABRIA-PC UserName: Sabria
12:20:14.005 Initialize success
12:20:16.298 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
12:20:16.298 Disk 0 Vendor: Hitachi_ SB4O Size: 152627MB BusType: 3
12:20:16.314 Disk 0 MBR read successfully
12:20:16.329 Disk 0 MBR scan
12:20:16.329 Disk 0 scanning sectors +312578048
12:20:16.361 Disk 0 scanning C:\Windows\system32\drivers
12:20:21.275 Service scanning
12:20:23.537 Disk 0 trace - called modules:
12:20:23.583 ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll iaStor.sys
12:20:23.583 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8598e030]
12:20:23.599 3 ntkrnlpa.exe[824b07e2] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x84fd5030]
12:20:23.599 Scan finished successfully

well that looks clean

Download malwarebytes and run quick scan

Malwarebytes Anti-Malware 1.50.1 http://filehippo.com/download_malwarebytes_anti_malware/
Always Update so you have latest database before you scan
Click the remove selected button to quarantine anything found

Post the scan log

MBAM is not particularly good when it comes to rootkits. If anything, I’d suggest Hitman Pro (activate the 30 days trial license if it finds the rootkit). Also, this article covers multiple antirootkit tools: http://www.techrepublic.com/blog/networking/rootkits-is-removing-them-even-possible/736

Anyway, as I already said, I do not believe in disinfecting systems compromised by rootkit.

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6165

Windows 6.0.6000 (Safe Mode)
Internet Explorer 7.0.6000.17037

25/03/2011 12:52:17
mbam-log-2011-03-25 (12-52-04).txt

Scan type: Quick scan
Objects scanned: 153511
Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 65
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\CLSID{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\TypeLib{F244A744-534D-4A46-855F-C0C7E9F27DAA} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\Interface{030C9927-10FC-4169-97A2-55BECD5D88D8} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.RprtCtrl.1 (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.RprtCtrl (Adware.ShoppingReport2) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\CLSID{3E2DFD6A-4E20-4D4C-AA8B-E1F9DBEF3C80} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButton.1 (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButton (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\CLSID{714E0876-FCEE-49CE-A429-B9AD8AEFCB56} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButtonA.1 (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.IEButtonA (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\CLSID{A4730EBE-43A6-443e-9776-36915D323AD3} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\CLSID{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbInfoBand.1 (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbInfoBand (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\CLSID{DD15BCC0-5FE9-4690-A957-99FA60ED9D26} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbAx.1 (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\ShoppingReport2.HbAx (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\Typelib{B035BA6B-57CD-4F72-B545-65BE465FCAF6} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\Typelib{D44FD6F0-9746-484E-B5C4-C66688393872} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\Interface{0EB3F101-224A-4B2B-9E5B-DF720857529C} (Adware.ShoppingReport2) → No action taken.
HKEY_CLASSES_ROOT\Typelib{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\Interface{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) → No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles (Adware.ClickPotato) → No action taken.
HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles.1 (Adware.ClickPotato) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) → No action taken.
HKEY_CURRENT_USER\Software\ShoppingReport2 (Adware.ShoppingReport2) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ResultBar (Adware.ResultBar) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport2 (Adware.ShoppingReport2) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low

Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ResultBar (Adware.ResultBar) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShoppingReport2 (Adware.Hotbar) → No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) → Value: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) → Value: {46897C77-E7A6-4C33-BFFB-E9C2E2718942} → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qnexayoqane (Trojan.Agent.U) → Value: Qnexayoqane → No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\programdata\resultbar (Adware.ResultBar) → No action taken.
c:\program files\funwebproducts (Adware.MyWebSearch) → No action taken.
c:\program files\funwebproducts\screensaver (Adware.MyWebSearch) → No action taken.
c:\program files\funwebproducts\screensaver\Images (Adware.MyWebSearch) → No action taken.
c:\program files\mywebsearch (Adware.MyWebSearch) → No action taken.
c:\program files\mywebsearch\bar (Adware.MyWebSearch) → No action taken.
c:\program files\mywebsearch\bar\History (Adware.MyWebSearch) → No action taken.
c:\program files\mywebsearch\bar\Settings (Adware.MyWebSearch) → No action taken.
c:\program files\resultbar (Adware.ResultBar) → No action taken.
c:\program files\shoppingreport2 (Adware.ShoppingReport2) → No action taken.
c:\program files\shoppingreport2\Bin (Adware.ShoppingReport2) → No action taken.
c:\program files\shoppingreport2\Bin\2.7.21 (Adware.ShoppingReport2) → No action taken.

Files Infected:
c:\Users\Sabria\AppData\Local\Temp\srweanxmoc.exe (Adware.Agent) → No action taken.
c:\program files\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) → No action taken.

i have quarantined all the selected files and rebooted, but i still can only open in safe mode as windows keeps shutting down when opened normally. I get some blue screen with something written and then it shuts down… its too quick for me to read.

OK… i am not sure if you can do this in safe mode, but you may try running OTS and posting the log

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log )

i will notifie Essexboy now so he will look at this when he arrives her in…7-8 hours
may take longer if there is cricket on tv ;D

Hi,

i have scanned OTS and attached. When will i be able to use computer normally?

thanks

you have to wait for essexboy`s advice