frustration with Rootkit

I am having a frustrating time trying to remove a rootkit. it is a MBR:physicaldrive0\partition4
I have run several programs ony two have found it avg2013 and Avast. both try to remove but are unable. I also get a “URL blocked” message popping up from avast approx every 3-5min I also get redirected in internet explorer and google. I have attached a jpg message that i get from avast. it all started from a fake windows program that said “my computer is infected click here” unfortunatly my wife did :frowning:
please help.

Hi and welcome to the Forum.

Let’s ask Essexboy, our Malware Expert to have a look inside.
Please follow this guide and attach (not copy and paste ) the requested logs. http://forum.avast.com/index.php?topic=53253.0
AdwCleaner
Malwarebytes
OTL
aswMBR

Because of the time zone difference please be patient until morning. :wink: :slight_smile:

Thank you
I have follows this guide in the link I will attach the logs. the only one I cant run is aswMBR i am able to download it but when I try to run the program it does nothing i have even tried renaming it

I can not attach my OTL log, it is to large it is 225kb and the max individual log size is 200kb
I am able to attach the extras log

I have seperated my OTL file in 2, I have attached it as OTLpart1, I will have to post again with OTLpart2

now part 2
I do understand I will have to wait because of the time difference, I will be very happy tho once my computer is cleaned.
I have always been able to delete any virus or malware I have gotten or that my freinds have gotten (which is few), this one has me aggitated because I cannot remove it. by all means I am not a computer expert.

I am unable to run aswMBR, I have tried safe mode and also tried running rkill before aswMBR with no luck. I have downloaded the program but when I run it nothing happens

If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software or deliver malware. For an example of these types of pop-ups, or Foistware, you should read this article: http://www.bleepingcomputer.com/forums/topic31797.html

If you are browsing the Internet and a popup appears saying that you are infected, ignore it!.
ignore it .....when it happens every 3-5 minutes ::)

there is a rootkit infection here…

The popup is from avast! :wink: (See the screenshot)

The popups happen even when Internet explore or Google Chrome are closed

Please ignore true indian’s advice.

Malware removers are notified: it may take hours before on arrive so be patient…

I will thanks it is 12:00am here I will be heading to bed I have to get up at 5:00am, but will check in a little later

Hi there do you have a spare USB drive ?

Download the following three programmes to your desktop :

  1. WiNTBootIc
  2. Windows 7 64bit RC
  3. Listparts64

Extract wintoboot to your desktop
Insert a USB drive of at least 1GB
Run Wintoboot

http://dl.dropbox.com/u/73555776/wintoboot.JPG

Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing

http://dl.dropbox.com/u/73555776/usb%20progress.JPG

It will let you know when it is done
Then copy Listparts64 to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this, although yours will state windows 7.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\listparts64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (result.txt) on the flash drive. Please copy and paste it to your reply.

Thank you for helping
you mention I need to download LISTPARt64 but your screen shows FRST64 please confirm

I have followed the directions up to restating the computer with a usb drive. It will not let me continue. I will attach pics of the screens

I do not get to the windows screen that you show. I have tried the different options it gives me but with no luck of finding the file I need. If. Have tried both listparts64 and frst64

Yes it is listparts that we require, FRST is a similar programme but mainly for none booting computers

On the second screenshot select the recovery tools option at the top then click next

When I click next, attached image is what I get