Can't delete MBR: \\.\physicaldrive0 rootkit name hidden boot sector

Hello…
Avast found a rootkit on my scan and I tried to delete it but avast won’t do anything. I also ran a boottime scan and it is not found there…I found a post where it suggested downloading aswmbr and I did and all it says is that it found malicious activity and shuts down windows and it keeps restarting…any ideas or help please!

Hello,

download and run aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
Download
Run
Scan
Post the log please.

Regards
Philip :slight_smile:

Hi…
I already downloaded the aswMBR and when I go to run it my laptop shuts down and I cannot run it at all! Not sure what to do with that…

NESS0822 it shut down just when you try run it or after You click at Scan ?

if it’s after you click at Scan
then please un-check first the “Trace I/O calls” and then click Scan

Dwarden…It shuts down after I click scan. I also tried what you suggested and even after I un-clicked “Trace disk IO calls”…I just get a blue screen and it shuts down!

So I downloaded the TDSSKiller and also OTS Program. I ran the TDSSKiller and it found the threat and I selected “Cure” and rebooted as it instructed…then I ran the OTS, I will post the log that it came up with and hopefully someone can tell me if it seems to be gone?! Thank you for your help!

[Processes - Safe List]
ots.exe → C:\Users\hp\Desktop\OTS.exe → [2011/06/01 08:56:38 | 000,645,632 | ---- | M] (OldTimer Tools)
avastui.exe → C:\Program Files\Alwil Software\Avast5\AvastUI.exe → [2011/05/10 06:10:58 | 003,459,712 | ---- | M] (AVAST Software)
pdvddxsrv.exe → C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe → [2009/02/04 22:26:38 | 000,128,232 | ---- | M] (CyberLink Corp.)

[Modules - Safe List]
ots.exe → C:\Users\hp\Desktop\OTS.exe → [2011/06/01 08:56:38 | 000,645,632 | ---- | M] (OldTimer Tools)
snxhk.dll → C:\Program Files\Alwil Software\Avast5\snxhk.dll → [2011/05/10 06:10:55 | 000,199,792 | ---- | M] (AVAST Software)
comctl32.dll → C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll → [2010/08/31 09:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation)

[Win32 Services - Safe List]
64bit-(avast! Antivirus) [Auto | Running] → C:\Program Files\Alwil Software\Avast5\AvastSvc.exe → [2011/05/10 06:10:57 | 000,042,184 | ---- | M] (AVAST Software)
64bit-(wlcrasvc) [Disabled | Stopped] → C:\Program Files\Windows Live\Mesh\wlcrasvc.exe → [2010/09/22 19:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation)
64bit-(hpsrv) [Auto | Running] → C:\Windows\SysNative\Hpservice.exe → [2010/07/16 16:03:58 | 000,030,520 | ---- | M] (Hewlett-Packard Company)
64bit-(AgereModemAudio) [Auto | Running] → C:\Program Files\LSI SoftModem\agr64svc.exe → [2008/08/26 20:02:20 | 000,016,896 | ---- | M] (Agere Systems)
64bit-(AppMgmt) [On_Demand | Stopped] → C:\Windows\SysNative\appmgmts.dll → [2008/01/20 20:49:41 | 000,195,584 | ---- | M] (Microsoft Corporation)
64bit-(WinDefend) [Auto | Running] → C:\Program Files\Windows Defender\MpSvc.dll → [2008/01/20 20:45:48 | 000,383,544 | ---- | M] (Microsoft Corporation)
(clr_optimization_v4.0.30319_32) Microsoft .NET Framework NGEN v4.0.30319_X86 [Auto | Stopped] → C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe → [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation)
(clr_optimization_v2.0.50727_32) Microsoft .NET Framework NGEN v2.0.50727_X86 [Disabled | Stopped] → C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe → [2009/03/29 22:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation)
(PLFlash DeviceIoControl Service) PLFlash DeviceIoControl Service [Auto | Running] → C:\Windows\SysWOW64\IoctlSvc.exe → [2006/12/19 11:30:26 | 000,081,920 | ---- | M] (Prolific Technology Inc.)

[Driver Services - Safe List]
64bit-(aswMonFlt) aswMonFlt [File_System | Auto | Running] → C:\Windows\SysNative\drivers\aswMonFlt.sys → [2011/05/10 05:59:48 | 000,064,344 | ---- | M] (AVAST Software)
64bit-(BCM43XX) Broadcom 802.11 Network Adapter Driver [Kernel | On_Demand | Running] → C:\Windows\SysNative\DRIVERS\bcmwl664.sys → [2011/02/12 15:29:16 | 003,060,800 | ---- | M] (Broadcom Corporation)
64bit-(fssfltr) fssfltr [Kernel | On_Demand | Stopped] → C:\Windows\SysNative\DRIVERS\fssfltr.sys → [2010/09/23 01:36:48 | 000,048,488 | ---- | M] (Microsoft Corporation)
64bit-(hpdskflt) HP Filter [Kernel | Boot | Running] → C:\Windows\SysNative\DRIVERS\hpdskflt.sys → [2010/07/16 16:04:04 | 000,030,008 | ---- | M] (Hewlett-Packard Company)
64bit-(Accelerometer) HP Mobile Data Protection Sensor [Kernel | On_Demand | Running] → C:\Windows\SysNative\DRIVERS\Accelerometer.sys → [2010/07/16 16:03:48 | 000,043,320 | ---- | M] (Hewlett-Packard Company)
64bit-(GEARAspiWDM) GEAR ASPI Filter Driver [Kernel | On_Demand | Running] → C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys → [2009/05/18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.)
64bit-(AgereSoftModem) Agere Systems Soft Modem [Kernel | On_Demand | Running] → C:\Windows\SysNative\DRIVERS\agrsm64.sys → [2008/11/21 23:05:22 | 001,253,376 | ---- | M] (Agere Systems)
64bit-(igfx) igfx [Kernel | On_Demand | Running] → C:\Windows\SysNative\DRIVERS\igdkmd64.sys → [2008/10/27 17:33:30 | 008,039,808 | ---- | M] (Intel Corporation)
64bit-(IntcHdmiAddService) Intel(R) High Definition Audio HDMI [Kernel | On_Demand | Running] → C:\Windows\SysNative\drivers\IntcHdmi.sys → [2008/09/21 14:49:58 | 000,126,464 | ---- | M] (Intel(R) Corporation)
64bit-(RTL8169) Realtek 8169 NT Driver [Kernel | On_Demand | Running] → C:\Windows\SysNative\DRIVERS\Rtlh64.sys → [2008/08/06 01:26:08 | 000,174,592 | ---- | M] (Realtek Corporation )
64bit-(Ntfs) Ntfs [File_System | On_Demand | Running] → C:\Windows\SysNative\Wbem\ntfs.mof → [2006/09/18 15:36:24 | 000,000,308 | ---- | M] ()
[Registry - Safe List]
< 64bit-Internet Explorer Settings [HKEY_LOCAL_MACHINE] > → ->
< Internet Explorer Settings [HKEY_LOCAL_MACHINE] > → ->
HKEY_LOCAL_MACHINE: Main\“Local Page” → C:\Windows\SysWOW64\blank.htm →
< Internet Explorer Settings [HKEY_CURRENT_USER] > → ->
HKEY_CURRENT_USER: Main\“Start Page” → http://www.google.com/
HKEY_CURRENT_USER: Main\“Start Page Redirect Cache” → http://www.msn.com/
HKEY_CURRENT_USER: Main\“Start Page Redirect Cache AcceptLangs” → en-us →
HKEY_CURRENT_USER: Main\“Start Page Redirect Cache_TIMESTAMP” → 29 14 37 05 06 CB CB 01 [binary data] →
HKEY_CURRENT_USER: “ProxyEnable” → 0 →
HKEY_CURRENT_USER: “ProxyOverride” → *.local →
< FireFox Extensions [HKLM] > → HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions → →
< FireFox Extensions [User Folders] > →
< HOSTS File > ([2006/09/18 15:37:24 | 000,000,761 | ---- | M] - 20 lines) → C:\Windows\SysNative\Drivers\etc\hosts →

Attach tdss log please.Can you run aswMBR in safe mode?