I have an issue with a rootkit I guess. I can’t get rid of it. I have tried an avast bootscan twice with no avail and came looking for more help. It keeps giving me this info when I scan my computer with avast.

MBR:\.\PHYSICALDRIVE0\partition3 High risk Threat:MBR:SST

I also keep getting notified that avast has blocked a harmful URL. It comes up with different ones.

I started looking into it when my wife said it was playing audio from commercials for no reason, even when the internet wasn’t open.

I am glad to provide any logs needed. This is a computer for my church and I would like to get it cleaned up and back to work.

Thanks,

Follow this guide and attach the logs … not copy and paste http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

Monitoring.

Each Log was run as directed and is attached. (I am attaching them as I complete them). aswMBR.exe would not run when attempted.

dont forget aswMBR log

is this a company computer?

it seem you have avast and symantec/norton endpoint installed ?

It belongs to a church. It was setup by and IT guy from the church who works for a college so he does things by the company book. He set it up with endpoint, but it never functioned properly. I disabled it…I don’t know how completely, and had Microsoft Security Essentials take over. It didn’t cause conflicts with the system. aswMRB wouldn’t run. I don’t know why.

you need to uninstall the AV you do not use
running multiple AV will slow down your machine, give mysterious windows errors and false positive detections

uninstall and then run the removal tool to clear any leftover files that may conflict
you find the tools here http://singularlabs.com/uninstallers/security-software/

you may try running aswMBR from safe mode

I uninstalled Symantec Endpoint through the control panel. Do I need to do more to clean it up?

I also tried running the aswMBR in safe mode. I watched it in the task manager under processes. It popped up for about five seconds then disappeared from the processes list. It also had an *32 next to it, I wasn’t sure if the problem could be the 64 bit Windows 7 system that I am running.

I also did not see a removal tool for symantec endpoint security, so I am not sure how to proceed with a removal tool.

We’re sorry but uninstalling with the control panel is not enough. This is way Pondus states “uninstall and then run the removal tool to clear any leftover files that may conflict…”

And, it appears that Symantec does not make this an easy task. You can find information at this link : http://www.symantec.com/business/support/index?page=content&id=TECH184988

You might want to ask this ‘IT guy from the church’ to help complete the uninstall of SEP. It is going to be hard to get any other program to work correctly until every last entry of SEP is removed from the system. As is typical of Symantec products, SEP is deeply imbedded into the system.

Perhaps Pondus can give more information when he returns.

IMHO, SEP was an improper program to install on a normal church computer.

Hi sethdb, I will work with you.

You have three Antivirus:

Avast
Norton > Removal Tool
Microsoft Security Essentials

I’m in the miracle that computer still works :o

Uninstall Norton and MSE and post a new OTL log file to inspect.
Try running aswMBR.

Thanks for all the help.

Argus, does this Norton tool deal properly with Symantec Endpoint. CharleyO’s link showed that it may be more difficult to remove than just a simple tool. I will run the Norton tool to try it, but I just was unsure.

Also, does windows completely uninstall Microsoft Security Essentials, or will I need a second program to “clean” the rest afterward?

the computer also just decided to install a windows update. Does that affect anything?

MSE uninstall from the Control Panel > Programs and Features.

the computer also just decided to install a windows update. Does that affect anything?

No.

Microsoft Security Essentials is Unistalled
Norton tool run

OTL running, but I did not paste the extra scripts from http://forum.avast.com/index.php?topic=53253.0… should I have used these again. I can re-run with the extra scripts if that helps you.

I will post the log as soon as it finishes.

OK.

OTL log

Step1

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Step2

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.

I tried to run aswMRB in standard and safe mode, neither attempt was successful.

Do what I wrote above in the post.

I disabled avast as directed and ran combofix.

It seemed to stop before it finished. A minute later a window popped up that said “administrator” on the blue bar at the top of the window (much like a dos prompt window) I wasn’t sure if it was combofix doing it or the malware, so I waited then closed the window. I tried combofix again and it did virtually the same thing, without the administrator dos prompt window, so I searched for the combofix.txt, couldn’t find it after running a search on drive C. I tried to run TDSskiller to see how that would work and it does the same thing that aswMRB does. So, I enabled Avast again just incase the Malware was trying to take over in the meantime.

Combo fix also never asked about a Recover Console

Please advise.

I disabled the avast again and am letting Combofix have the benefit of the doubt. the admin window is combofix. I will upload the file it creates when it finishes. I chickened out early last time. I will upload shortly.

Thank you.