system
February 25, 2011, 3:04am
1
here what going on have a virus cant remove with avast free version , scan and it keep showing up , it won.t remove it, or let me put it in chest valt…when i scan and say to remove it to shutdown your pc and restart it i do it and its steal ther.i restore and and its steal there, here what it say the threat is
FILE NAME------PHYSICALDRIVEO
SEVERITY------ HIGH
STATUS--------THREAT:ROOTKIT:HIDDEN
system
April 14, 2011, 1:18am
3
I hope it’s still ok to post here!
I followed your directions and this is the log:
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-13 18:13:57
18:13:57.343 OS Version: Windows 5.1.2600 Service Pack 3
18:13:57.343 Number of processors: 2 586 0x409
18:13:57.343 ComputerName: HARDDRIVE UserName: Jaime
18:13:58.046 Initialize success
18:14:03.609 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP1T0L0-e
18:14:03.609 Disk 0 Vendor: Size: 0MB BusType: 0
18:14:03.625 Disk 0 MBR read error
18:14:03.625 Disk 0 MBR scan
18:14:03.625 MBR BIOS signature not found 0
18:14:03.625 Disk 0 scanning C:\WINDOWS\system32\drivers
18:14:09.671 Service scanning
18:14:10.859 Disk 0 trace - called modules:
18:14:10.859 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys sphj.sys hal.dll >>UNKNOWN [0x82d8e938]<<
18:14:10.859 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x82d6b030]
18:14:10.859 3 CLASSPNP.SYS[f84b5fd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP1T0L0-e[0x82d42940]
18:14:10.875 Scan finished successfully
18:14:17.781 Disk 0 MBR fix error
18:14:22.812 Disk 0 MBR fix error
18:14:35.703 Disk 0 MBR fix error
Any help?
Could you go to this site please and follow the directions at step 6 http://www.bleepingcomputer.com/forums/topic34773.html and then re-run ASWMbr
Also what are your problems ?
Is it still ok to post here? I have exactly the same problem as above.
I also followed your directions and here is my log:
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-08 09:49:34
09:49:34.756 OS Version: Windows 6.0.6002 Service Pack 2
09:49:34.756 Number of processors: 2 586 0x170A
09:49:34.756 ComputerName: IAN-PC UserName: Ian
09:49:36.550 Initialize success
09:50:05.316 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP1T0L0-1
09:50:05.332 Disk 0 Vendor: Hitachi_HTS545025B9A300 PB2OC64G Size: 238475MB BusType: 3
09:50:07.375 Disk 0 MBR read successfully
09:50:07.375 Disk 0 MBR scan
09:50:07.375 Disk 0 TDL4@MBR code has been found
09:50:07.375 Disk 0 MBR [TDL4] ROOTKIT
09:50:07.375 Disk 0 scanning C:\Windows\system32\drivers
09:50:13.350 Service scanning
09:50:14.895 Disk 0 trace - called modules:
09:50:14.910 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS PCIIDEX.SYS msahci.sys
09:50:14.910 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8565cac8]
09:50:14.910 3 CLASSPNP.SYS[82fa88b3] → nt!IofCallDriver → [0x8450a918]
09:50:14.926 5 acpi.sys[806946bc] → nt!IofCallDriver → \Device\Ide\IdeDeviceP1T0L0-1[0x84ebcb98]
09:50:14.926 Scan finished successfully
09:50:47.016 Disk 0 fixing MBR …
09:50:57.031 Disk 0 MBR restored successfully
09:50:57.031 Disk 0 Windows 600 MBR fixed successfully
Re-run aswMBR, and press Fix
Save the aswMBR.log to the desktop then post the log here
Here are the results of the re-run after the fix.
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-08 11:33:25
11:33:25.550 OS Version: Windows 6.0.6002 Service Pack 2
11:33:25.550 Number of processors: 2 586 0x170A
11:33:25.550 ComputerName: IAN-PC UserName: Ian
11:33:43.318 Initialize success
11:33:47.858 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP1T0L0-1
11:33:47.858 Disk 0 Vendor: Hitachi_HTS545025B9A300 PB2OC64G Size: 238475MB BusType: 3
11:33:49.902 Disk 0 MBR read successfully
11:33:49.902 Disk 0 MBR scan
11:33:49.902 Disk 0 TDL4@MBR code has been found
11:33:49.902 Disk 0 MBR [TDL4] ROOTKIT
11:33:49.902 Disk 0 scanning C:\Windows\system32\drivers
11:33:58.265 Service scanning
11:33:58.686 Disk 0 fixing MBR …
11:34:08.701 Disk 0 MBR restored successfully
11:34:08.701 Disk 0 Windows 600 MBR fixed successfully
11:34:08.701 Disk 0 trace - called modules:
11:34:08.701 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS PCIIDEX.SYS msahci.sys
11:34:08.717 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x855592b8]
11:34:08.732 3 CLASSPNP.SYS[82fa38b3] → nt!IofCallDriver → [0x84eb0918]
11:34:08.748 5 acpi.sys[806926bc] → nt!IofCallDriver → \Device\Ide\IdeDeviceP1T0L0-1[0x8450a8a0]
11:34:08.748 Scan finished successfully
Download TDSSKiller on the Desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe
When you download the program do the following:
Deactivate/turn off your protective software.
Close running programs.
Run program. Press the button Start scan.
When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
If malicious objects be found, make sure that you choose “Cure”
http://support.kaspersky.com/images/support_new/2663-2-eng.png
and click Continue, and then click Reboot Now.
Okaci me the contents of a log from the following location:
C: \TDSSKiller_version_DD.MM.GG_HH.MM.SS.txt
note:
(DD-day, MM-month, year-GG, HH-hour, MM minutes, SS seconds; date and time the log is made)
Is this the attachment you mean?
Argus - I have now ran a full system scan and it is no longer picking up any infections so fingers crossed all is now ok. A big thank you to you for your help which was very much appreciated. THANK YOU!
My pleasure, although I have not seen the log
system
September 16, 2011, 11:07pm
12
I hope it is still ok to post here.
I did that that above and here is re run log.
Hope someone could check if there is something still.
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-17 01:47:24
01:47:24.890 OS Version: Windows 5.1.2600 Service Pack 3
01:47:24.890 Number of processors: 2 586 0x1C02
01:47:24.890 ComputerName: CATI UserName: Kati
01:47:25.812 Initialize success
01:47:27.156 AVAST engine defs: 11091601
01:47:36.593 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
01:47:36.609 Disk 0 Vendor: ST916031 0005 Size: 152627MB BusType: 3
01:47:36.625 Disk 0 MBR read successfully
01:47:36.640 Disk 0 MBR scan
01:47:36.640 Disk 0 Windows XP default MBR code
01:47:36.656 Disk 0 scanning sectors +312560640
01:47:36.812 Disk 0 scanning C:\WINDOWS\system32\drivers
01:47:54.328 Service scanning
01:47:55.859 Service vsdatant C:\WINDOWS\System32\vsdatant.sys LOCKED 32
01:47:56.421 Modules scanning
01:48:20.703 Disk 0 trace - called modules:
01:48:20.734 ntkrnlpa.exe CLASSPNP.SYS disk.sys SahdIa32.sys iaStor.sys hal.dll
01:48:20.734 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86d3f030]
01:48:20.750 3 CLASSPNP.SYS[f7548fd7] → nt!IofCallDriver → [0x86d7d478]
01:48:20.750 5 SahdIa32.sys[f7569939] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x86d6a028]
01:48:24.046 AVAST engine scan C:\WINDOWS
01:48:46.312 AVAST engine scan C:\WINDOWS\system32
01:51:17.687 AVAST engine scan C:\WINDOWS\system32\drivers
01:51:40.031 AVAST engine scan C:\Documents and Settings\Kati
01:56:07.515 AVAST engine scan C:\Documents and Settings\All Users
01:59:38.000 Scan finished successfully
02:02:56.406 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Kati\Työpöytä\MBR.dat”
02:02:56.437 The log file has been saved successfully to “C:\Documents and Settings\Kati\Työpöytä\aswMBR1.txt”
Pondus
September 16, 2011, 11:15pm
13
@pete75
Start a topic that is yours, and…
follow the guide here and attach the log`s http://forum.avast.com/index.php?topic=53253.0 and essexboy will have a look when he arrive
Lower left corner > additional options > attach
If logs are to big you may upload to http://www.mediafire.com/ and post the download link here
system
September 5, 2012, 4:47pm
14
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-06 00:18:37
00:18:37.409 OS Version: Windows 6.1.7601 Service Pack 1
00:18:37.409 Number of processors: 2 586 0x1C0A
00:18:37.425 ComputerName: MARIELLEANTONIO UserName:
00:19:36.643 Initialize success
00:19:38.874 AVAST engine defs: 12090501
00:20:26.688 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
00:20:26.688 Disk 0 Vendor: ST9250315AS 0003DEM1 Size: 238475MB BusType: 11
00:20:26.719 Disk 0 MBR read successfully
00:20:26.735 Disk 0 MBR scan
00:20:26.782 Disk 0 Windows 7 default MBR code
00:20:26.782 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
00:20:26.828 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 81920
00:20:26.860 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 223434 MB offset 30801920
00:20:26.875 Disk 0 scanning sectors +488395120
00:20:26.984 Disk 0 scanning C:\Windows\system32\drivers
00:20:44.581 Service scanning
00:21:19.229 Modules scanning
00:21:31.210 Disk 0 trace - called modules:
00:21:31.787 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
00:21:31.818 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8493c270]
00:21:31.849 3 CLASSPNP.SYS[86bac59e] → nt!IofCallDriver → [0x84856918]
00:21:31.881 5 ACPI.sys[868973d4] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x84854030]
00:21:33.035 AVAST engine scan C:\Windows
00:21:35.609 AVAST engine scan C:\Windows\system32
00:25:46.957 AVAST engine scan C:\Windows\system32\drivers
00:26:09.592 AVAST engine scan C:\Users\Marielle Antonio
00:38:31.037 File: C:\Users\Marielle Antonio\AppData\Roaming\bjvhq.exe INFECTED Win32:Malware-gen
00:40:42.327 AVAST engine scan C:\ProgramData
00:42:16.738 Scan finished successfully
00:43:05.348 Verifying
00:43:15.401 Disk 0 Windows 601 MBR fixed successfully
00:43:45.898 Verifying
00:43:55.976 Disk 0 Windows 601 MBR fixed successfully
00:44:49.975 Disk 0 MBR has been saved successfully to “C:\Users\Marielle Antonio\Desktop\MBR.dat”
00:44:49.991 The log file has been saved successfully to “C:\Users\Marielle Antonio\Desktop\aswMBR.log”
Pondus
September 5, 2012, 4:50pm
15
@ayneantonio why are you posting in a 1 year old topic ???
if you need help start a new topic and attach logs …see guide here http://forum.avast.com/index.php?topic=53253.0