can't delete rootkit MBR:\\.\PHYSICALDRIVE0

Viruses and worms
1

Avast has started flagging the rootkit MBR:\.\PHYSICALDRIVE0 as well as the trojan alureon every 5-10 minutes but it won’t delete it, I ran a full system scan and deleted everything it found then ran a boot time scan and that said it had got it as well, but as soon as I signed in I started getting notifications that a program was trying to access an unsafe URL, is there anything I can do? I ran aswMBR, this is the log it returned:

19:08:25.894 OS Version: Windows 6.0.6002 Service Pack 2
19:08:25.895 Number of processors: 2 586 0x301
19:08:25.899 ComputerName: ROSS-PC UserName:
19:08:32.760 Initialize success
19:08:35.423 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
19:08:35.446 Disk 0 Vendor: Hitachi_HTS543225L9A300 FBEOC40J Size: 238475MB BusType: 3
19:08:37.463 Disk 0 MBR read successfully
19:08:37.476 Disk 0 MBR scan
19:08:37.480 Disk 0 TDL4@MBR code has been found
19:08:37.484 Disk 0 MBR hidden
19:08:37.487 Disk 0 MBR [TDL4] ROOTKIT
19:08:37.496 Disk 0 trace - called modules:
19:08:37.502 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll acpi.sys >>UNKNOWN [0x869cf4d0]<<
19:08:37.508 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85b0e030]
19:08:37.514 3 CLASSPNP.SYS[8a1a98b3] → nt!IofCallDriver → [0x85b032a8]
19:08:37.520 5 hpdskflt.sys[8a18c0be] → nt!IofCallDriver → [0x85af8918]
19:08:37.528 7 acpi.sys[8060f6bc] → nt!IofCallDriver → [0x85aea030]
19:08:37.535 \Driver\atapi[0x85b03748] → IRP_MJ_CREATE → 0x869cf4d0
19:08:37.547 Scan finished successfully
19:44:56.889 Disk 0 MBR has been saved successfully to “C:\Users\your name\Desktop\MBR.dat”
19:44:56.933 The log file has been saved successfully to “C:\Users\your name\Desktop\aswMBR.txt”

2

1)scan again and click “FIX” and reboot
2) after reboot, new scan and click “save log” then post that log here in your next reply

3

thanks for the speedy reply, here’s the log:

21:44:14.609 OS Version: Windows 6.0.6002 Service Pack 2
21:44:14.609 Number of processors: 2 586 0x301
21:44:14.609 ComputerName: ROSS-PC UserName:
21:44:27.745 Initialize success
21:44:30.584 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
21:44:30.584 Disk 0 Vendor: Hitachi_HTS543225L9A300 FBEOC40J Size: 238475MB BusType: 3
21:44:32.705 Disk 0 MBR read successfully
21:44:32.721 Disk 0 MBR scan
21:44:32.721 Disk 0 unknown MBR code
21:44:34.780 Disk 0 scanning sectors +488395120
21:44:34.952 Disk 0 scanning C:\Windows\system32\drivers
21:44:48.773 Service scanning
21:44:53.282 Disk 0 trace - called modules:
21:44:53.313 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll acpi.sys ataport.SYS PCIIDEX.SYS msahci.sys
21:44:53.313 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x857fdac8]
21:44:53.329 3 CLASSPNP.SYS[8a1b58b3] → nt!IofCallDriver → [0x85717020]
21:44:53.344 5 hpdskflt.sys[8a1980be] → nt!IofCallDriver → [0x856e1c10]
21:44:53.360 7 acpi.sys[8060e6bc] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x856ea030]
21:44:53.375 Scan finished successfully
21:45:16.916 Disk 0 MBR has been saved successfully to “C:\Users\your name\Desktop\MBR.dat”
21:45:17.025 The log file has been saved successfully to “C:\Users\your name\Desktop\aswMBR.txt”

4

Looks good any other problems ?

5

i ran rootkit buster too and it’s still finding 30 infected files, heres the log

–== Service Win32 API Hook List ==–
[HOOKED_SERVICE_API]:
Service API : ZwAddBootEntry
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x82902ec6
CurrentHandler : 0x9e526202
ServiceNumber : 0x9
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateEvent
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8285fd37
CurrentHandler : 0x9e5287f0
ServiceNumber : 0x3a
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateEventPair
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x82908584
CurrentHandler : 0x9e528848
ServiceNumber : 0x3b
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateIoCompletion
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x82819907
CurrentHandler : 0x9e52895e
ServiceNumber : 0x3d
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateMutant
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8286d7bc
CurrentHandler : 0x9e528746
ServiceNumber : 0x43
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateSection
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8287ed95
CurrentHandler : 0x9e528898
ServiceNumber : 0x4b
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateSemaphore
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x82824cc3
CurrentHandler : 0x9e52879a
ServiceNumber : 0x4c
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateTimer
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x82807a9f
CurrentHandler : 0x9e52890c
ServiceNumber : 0x4f
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwDeleteBootEntry
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x82902ef7
CurrentHandler : 0x9e526226
ServiceNumber : 0x78
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwLoadDriver
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x827b8dee
CurrentHandler : 0x9e525ff0
ServiceNumber : 0xa5
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwModifyBootEntry
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x829030c7
CurrentHandler : 0x9e52624a
ServiceNumber : 0xb2
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwNotifyChangeKey
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8280c5d9
CurrentHandler : 0x9e528d56
ServiceNumber : 0xb5
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwNotifyChangeMultipleKeys
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8280ba51
CurrentHandler : 0x9e526cda
ServiceNumber : 0xb6
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenEvent
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x82846d5f
CurrentHandler : 0x9e528820
ServiceNumber : 0xb8
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenEventPair
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x829086b3
CurrentHandler : 0x9e528870
ServiceNumber : 0xb9
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenIoCompletion
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828ba6cd
CurrentHandler : 0x9e528988
ServiceNumber : 0xbb
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenMutant
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8285eaf1
CurrentHandler : 0x9e528772
ServiceNumber : 0xbf
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenSection
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8285e5fd
CurrentHandler : 0x9e5288d8
ServiceNumber : 0xc5
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenSemaphore
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x827f2ebe
CurrentHandler : 0x9e5287c8
ServiceNumber : 0xc6
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenTimer
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x8290830f
CurrentHandler : 0x9e528936
ServiceNumber : 0xcc
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwQueryObject
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x82833343
CurrentHandler : 0x9e526ba0
ServiceNumber : 0xed
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetBootEntryOrder
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x829037f8
CurrentHandler : 0x9e52626e
ServiceNumber : 0x11f
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetBootOptions
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x82903cfa
CurrentHandler : 0x9e526292
ServiceNumber : 0x120
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetSystemInformation
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x82833e83
CurrentHandler : 0x9e52604a
ServiceNumber : 0x13d
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetSystemPowerState
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x829270a1
CurrentHandler : 0x9e526186
ServiceNumber : 0x13e
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwShutdownSystem
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x829003a1
CurrentHandler : 0x9e526162
ServiceNumber : 0x146
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSystemDebugControl
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x82845e51
CurrentHandler : 0x9e5261aa
ServiceNumber : 0x14c
ModuleName : aswSnx.SYS
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwVdmControl
Image Path : C:\Windows\System32\Drivers\aswSnx.SYS
OriginalHandler : 0x828f4ee3
CurrentHandler : 0x9e5262b6
ServiceNumber : 0x15d
ModuleName : aswSnx.SYS
SDTType : 0x0

6

aswSnx.SYS http://www.freefixer.com/library/file/68131/

Any antivirus program installed rootkit
A rootkit is a legitimate program

The computer is clean from any rootkit infections.

Regards :slight_smile:

7

oh thank god for that, was beginning to panic a little :stuck_out_tongue: well thank’s for all the help everyone, it was greatly appreciated

Ross