Ran avast and this came up. I tried to move it to the chest, but it said that the error is not supported. Please help.
Hi
Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif
Click the “Scan” button to start scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif
On completion of the scan click save log, save it to your desktop and post in your next reply
Hey, I’ve got/had the same virus
THIS THING ISN’T FUNNY
(for all those who don’t want to have this virus : Never visit the site called keygenguru.com!!! >:(i mean it
otherwise you’ll look like :o)
When i wanted to start the computer he keeped to crash in bluScreen
In Safe Mode i could just backup my data (takes ages)
I made a repair disc (should have done earlier)
Obviously it didn’t work (the System was infected)
But i managed to get another disc from a friend (who had win7 too)
Then it worked
(thats why im in this forum now, i’ve downloaded avast! (My installed programs are gone))
And it says this mbr stuff
So i tried to delete it and did a boot scan
I know there is a log file, but i don’t know where it is (someone help out pls?)
However i remember it HAS found infected files (2 of em)(in the boot scan)
But when i wanted to repair/chest or delete it
It obviously didn’t work.
Now whenever i restart the computer and open avast
It tells me it detected a Rootkit (Damn) and MBR:\.\PHYSICALDRIVE0
What now?
Edit:
Congrats, Avast for giving us this powerful help out tool
btw thx essexboy for showing
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-21 15:52:39
15:52:39.982 OS Version: Windows x64 6.1.7600
15:52:39.982 Number of processors: 2 586 0x170A
15:52:39.982 ComputerName: PHILIP-PC UserName: Philip
15:52:43.024 Initialize success
15:52:49.171 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
15:52:49.171 Disk 0 Vendor: WDC_WD3200BEVT-22ZCT0 11.01A11 Size: 305245MB BusType: 11
15:52:51.230 Disk 0 MBR read successfully
15:52:51.230 Disk 0 MBR scan
15:52:51.230 Disk 0 TDL4@MBR code has been found
15:52:51.245 Disk 0 MBR [TDL4] ROOTKIT
15:52:51.245 Service scanning
15:52:52.727 Disk 0 trace - called modules:
15:52:52.727 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
15:52:52.727 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004957060]
15:52:52.743 3 CLASSPNP.SYS[fffff8800141743f] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80046d4680]
15:52:52.743 Scan finished successfully
15:53:23.167 Disk 0 fixing MBR
15:53:33.182 Disk 0 MBR restored successfully
15:53:33.260 Disk 0 Windows 601 MBR fixed successfully
Don’t Worry just another edit:
Ran boot scan over it, didn’t give any alarm
@TribeWars
Re-Run aswMBR
Click Scan
On completion of the scan
Click the FixButton
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrtdl4.gif
Save the log as before and post in your next reply
yay the virus is eliminated(avast didn’t find anything in boot scan and in full scan)
I’ll maybe scan the computer with malwarebytes (can i trust it?)
again thx this crappy virus made my computer not boot for more then a month (yay WE LOVE BLUSCREEN)
lol all of us will learn
I myself am going to buy an external Harddisk where im going to do a system image eveery week
(we all learn)
hopefully i’ll never need it but we never know
edit: I’ve got the harddisk
So how exactly can i do a system image
and if my computer gets infected how can i put it back to the computer?
thx if anyone can help or show me?
btw i’ve got windows7 if anyone has to know
Google is your friend… http://lmgtfy.com/?q=So+how+exactly+can+i+do+a+system+image
Lets say horray!
Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6447
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
26.04.2011 09:09:10
mbam-log-2011-04-26 (09-09-10).txt
Scan type: Quick scan
Objects scanned: 215151
Time elapsed: 1 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hey guys i’ve noticed some (really actually it doesn’t matter its just some registry stuff) changes
The second is how booting looked before
the first how it looks like now
Lol this is funny
Wow such a virus attack makes someone get 1000 times more careful.
@anyone(who knows): So what does this FIX button do?
Because i already fixed the mbr and i am not sure if i should press the FIX button
I am really suspicious now cause my system works fine again(yay) and i don’t want to break anything again I hope you guys can appreciate this. I don’t want to annoy i just wanna be sure that i am doing the right thing.
The fix button is designed to remove the TDL4 type infection only use with any other infection could render the system unbootable. So don’t touch ;D
The fixmbr button replaces the original MBR with a clean copy - for use with Sinowal and mebroot
If you have TDL3 then a further specialist tool will be required
The report will tell you which type you have
So i actually pressed the fix mbr and another mbr.dat thing was saved on my desktop
I scanned it and it had the rootkit in it which was detected in boot scan
I moved it to chest. I’ll leave it there.
Btw, the name is Alureon-G@mbr [rtk]
Edit: Should i submit it?
Another edit: When i did the boot scan before i used aswMBR i showed me that hiberfil.sys was infected (with Alureon-B@mbr [rtk])
After i used aswMBR Boot scan didn’t find anything
Can I be sure it is clean?
Malwarebytes didn’t find anything too
After i used aswMBR Boot scan didn't find anything Can I be sure it is clean?
Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr
Double click dds.scr to run the tool.
* When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. Post DDS.txt back to topic.
Sure i should open it?
Avast! came up and told me it was placed into the autosandbox ???
Open normally.
DDS is a diagnostic tool
Thx for your help
System is clean
Cheers!
Actually i suspected this because hiberfil.sys gets rewritten everytime you do hibernate
Try to disable hibernate
http://www.sevenforums.com/tutorials/819-hibernate-enable-disable.html
The problem is not caused by malware