hi i have the PHYSICALDRIVE0 / ROOTKIT problem i was looking for help resovling the issue … i see other threads related here can i just follow the actions on there or is each one specific and unique ???

thanks

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log - OTL log - aswMBR log ) save OTL log as ANSI

Essexboy will look at the logs when he arrive here later today…

Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7593

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

28/08/2011 11:08:59
mbam-log-2011-08-28 (11-08-58).txt

Scan type: Quick scan
Objects scanned: 156614
Time elapsed: 8 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) → Value: ForceClassicControlPanel → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\user\local settings\Temp\ptu747_tmp.exe (PUP.Casino) → Not selected for removal.

If you post the remaining logs I will check them out

heres the two files required … i think

sorry i think ive forgotten the aswMBR log … it is currently scanning … will post asap … thanks

heres the log

13:17:32.562 Disk 0 MBR:Whistler-C [Rtk] 13:17:32.578 Disk 0 Whistler@MBR code has been found 13:17:32.578 Disk 0 MBR [Whistler] **ROOTKIT**

run aswMBR and scan again, then click FixMBR and reboot when the program is finish

after reboot, scan again, click save log and post it in next reply

What Pondus said but with pretty pictures ;D

Re-Run aswMBR

Click Scan

On completion of the scanClick the FIXMBR Button

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRFixMBR.gif

Save the log as before and post in your next reply

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O4 - HKU\S-1-5-21-1844237615-1659004503-1644491937-1004..\Run: [NwiQiuwu] File not found O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\user\Local Settings\Application Data\ftqexrne\nwiqiuwu.exe) - File not found [2011/08/19 22:45:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\ftqexrne

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

essex be sure to verify that file that he did not select for remove > c:\documents and settings\user\local settings\Temp\ptu747_tmp.exe (PUP.Casino) → Not selected for removal.

He dont removed appearing to his MBAM.

heres the new log … p.s after reboot before new scan avast popped up finding whistler with the option to ignore

thanks for your help so far

OTL clear temp will have killed that

What problems do you have at the moment ?

It has blocked my wireless internet i have to run pc directly off hub

OK lets ensure that I killed it all

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

sorry ive got to go out … women !!! ill continue this again shortly … thanks for help so far again to all

LOL ;D
Have fun…!

is anyone available to help ?

essexboy already told you what to do next.
Follow his advice…!

Previous page - run Combofix ;D

Combofix ran … on completing the comp auto restarted … when rebooted it came up windows recovered from serious error … i cant see any logs for it though , comp seems to be running fine though still not connecting to my wireless adaptor