MBR:\\physical drive0\partition 3 MBR:SST [rtk] cannot remove

I continue to receive this notice and attempt to delete and reboot but aswboot finds nothing. I have tried aswmbr, tdskiller, rootkitbuster, Sophos virus remover and more but nothing fixes this problem. Thanks for any help!

Hello,
We’ll run system diagnostics with these two powerful tools. That will allow us to quickly ascertain whether or not malware may be running on your machine.

=> Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[
]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


=> Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ]- save the report to the Desktop (named ARK );

[*]Then click the >>> button and select Autostart card;
[*]Click [ Scan ] button;
[*]After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named autostart )

Attach here both Gmer logreports. (ARK.txt and autostart.txt)

as requested

Magna also needs ARK.txt. Should be on the desktop.

Yes, ARK.txt is the first and primary created GMER logfile, and I need that to continue with progress.

Looks like the Alureon rootkit.
Running gparted from a bootable usb and deleting that partition would be a good start.

Unetbootin and a Puppy ISO file can be used to create the bootable usb.

attached

Logs show me that you have installed Microsoft Windows XP Home Edition with Service Pack 2.

Microsoft Windows XP Home Edition Service Pack 2 (X86)

There are three facts you should know abaut XP systems:

[*] Latest Service Pack for Windows XP system is Service Pack 3. You do not have SP3. Even by today’s malware standard, SP3 does not provide a satisfactory security we will not even mention SP2.

[*] M$ shall end the support for Windows XP system within a little more than ~35 days
http://www.microsoft.com/en-us/windows/enterprise/endofsupport.aspx

[*] Machines with the Service Pack 2 can not been clean from hardcore malware, BC it will most likely filter malware back to the system immediately after the first connection to the Internet.

You have these options:

[] Install the laterst Service Pack 3 using Windows Update and them we can re-try cleaning
[
] Upgrade your system, to Windows 7 or modern Windows 8.1 using Format C (and this shall re-write the clean MBR)

Microsoft updater has not worked despite many hours of attempting to resolve its failures! I was thinking of the Windows 7 upgrade but didn’t want to go there only to continue to have the MBR problem.

Step 1: Reinstall Windows Update Agent 3.0

  1. Please download the file from the following link:
    http://download.windowsupdate.com/windowsupdate/redist/standalone/7.4.7600.226/windowsupdateagent30-x86.exe
  2. Save the file to “C: drive”.
  3. Click “Start”, “Run”, type: “C:\WindowsUpdateAgent30-x86.exe /wuforce” (without quotations) and then press “Enter” to install the Windows Update engine.
    There is a space between “C:\WindowsUpdateAgent30-x86.exe” and “/wuforce”.

Now try Windows Update to see if the issue has been resolved. Please let us know if this step has resolved it. If not, please proceed to the next step.

Step 2: Delete a Incorrect Registry Key

  1. Click Start, click Run, type REGEDIT, and click OK.
  2. Go to the following Registry batch by clicking the PLUS (+) sign
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
  3. Right click on the Registry and delete it.
  4. Go to the following Registry batch by clicking the PLUS (+) sign
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows \CurrentVersion\Internet Settings\5.0\User Agent
  5. Right click on the Registry and delete it.
  6. Restart the computer.

Now try Windows Update to see if the issue has been resolved, if not, please proceed to the next step.

Step 3: Load Internet Explorer Default Settings

  1. Please close Internet Explorer.
  2. Click “Start” and click “Run”, input “INETCPL.CPL” (without quotation marks) and press Enter.
  3. Switch to the “Advanced” tab, select “Reset Internet Explorer Settings” under “Restore advanced Settings” button.
  4. Select “Delete Personal Settings” option and click the “Reset” button.

Hi,

On each installation, the Windows overwrites fresh MBR, ie, overwrites legit MBR with the already existing (in this case a malicious MBR).

Or, please follow Eddy’s advice to continue for fixing WUP as I believe that RootKit has done some mess with the Windows services in order to disable the possible fix for exploit that malware uses.

First step noted fixed the windows updater! I am proceeding to update windows to SP3

After installing SP3, keep visiting Windows Update till all security patches/updates are installed.

Finally, updated to SP3 and all updates installed! Avast continues to alert with same message.

Cool. Now we can attempt to clean the Rootkit.
We shall start from ComboFix as it is the big daddy on XP systems and he have some routines for detectiong and removing these bootkit you have.
aswMBR we shall run after the ComboFix. It’s important that you upload here MBR.dat tool created by tool.

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.
  • ComboFix shall also create addition log. Please attach it to your reply.
    C:\Qoobox[b]ComboFix-quarantined-files.txt[/b]

Please download aswMBR and save it to your desktop.

Double click aswMBR.exe to start the tool.

[*]Select Yes if prompted to download the Avast database.
[*]Click Scan
[*]Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
Note: do NOT attempt any Fix yet.

[*]You will also notice another file created on the desktop named MBR.dat. Right click that file and select [b]Send To>Compressed /b file. Attach that zipped file in your next reply as well.

More problems… Downloaded and ran combofix. It ran to the point of scanning for ten minutes then I got the avast “rootkit found” alert even though I had disabled avast. It also froze the combofix run and froze the keyboard, mouse. I powered down the PC and the PC rebooted. AVAST is still disabled. Tried it all again and got the same - frozen PC.

Ok, don’t panic. :wink:
I do believed that ComboFix has been detected rootkit but avast wanted as well to peek in that what CF looks/checks and thus is results of confusion.
ComboFix is extremly powerfull on XP systems. Again, on the other hand sometimes it is hard and run as well …

1. Delete the current copy of ComboFix (drag&drop icon into Recycle) and download new, fresh copy of the tool.

2. Disable avast using these guide:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

3. Try to run ComboFix again and follow the prompts.

If you fail again to complete scan with ComboFix, then restart the system once again, follow the step#1 (download fresh CF), disable avast
and try to run ComboFix from Safe mode (boot Windows XP in safe mode and run CF from there).

Did as suggested but got the pop up avast alert again for rootkit and combofix froze. I noticed in avast settings the option of disabling the rootkit at start up. Should I try that?

Wait until tomorrow.magna is asleep

Are you shure that avast is disabled? Uninstall avast for now and re-try …