MBR Rootkit detected

Hi, i’ve just been alerted by Avast this morning regarding a virus when i performed a full system scan.
The file name is MBR: \.\PHYSICALDRIVE0, Threat:Rootkit: hidden boot-sector

There has been random internet explorer ads popping up from time to time, and i’ve followed what avast suggested, to do a boot scan while it cleans up any problems. The boot scan turned up clean, and nothing seems to have been fixed. Also, avast continues to alert me about the virus, saying that a suspicious MBR: \.\PHYSICALDRIVE0 has been detected, after which it alerts me again, this time saying it’s Whistler. I’ve tried scanning with Malwarebytes as well, and nothing comes up as well.

Ah, i’ve also been experiencing bsod from time to time randomly, at times when i boot up my computer, or at completely random timings. It states invalid process detach attempt, and starts with the code 0x00000006. I’ve looked into the code and found out that it has something to do with hardware or driver problems, but just in case i thought i’d include this as well.

Another thing, the internet explorer ads having been popping before avast detected this rootkit, so i’m not sure whether it has been in my computer for a while, and avast only detected it today.

I have a external HD plugged in during the scan, so i’m not sure if it has been affected as well. Is there a way to confirm what has been infected?
After looking around the threads here, i’ve also tried checking with aswMBR and using MBRCheck. I’ve also included the latest quick scan log by malwarebytes done just a while ago.
Here are the three respective logs.

I’d appreciate it if anyone can spare me some help, thanks in advance.

Essexboy is notified… :wink:
He is usually in here at 8:00pm - 11:59pm UK time
http://www.timeanddate.com/worldclock/

you may also post OTL log,s

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt. / Extras.Txt / )

I’ve tried scanning with OTL and GMER as well.
These are the logs of the scans. The GMER log appears to be too large to post, it’s about 180kb.

Also, i’ve tried scanning the attached external hard disk with Avast. There were no infected files. I was using uTorrent to download a 60gb photo rar file to the hard disk in the past few days, could there be any link between the torrent and the rootkit?
Once again, thanks in advance.

My computer froze after attempting to scan with GMER again and now all file extensions do not show after i restarted it, i’ve no idea what’s the cause of this as well. Edit: They reappeared after i went into control panel to uncheck hide known file extensions. Could this be the work of the rootkit?

Whilst I am looking at the other logs could you run ASWmbr again please and select fix

13:11:00.046 Disk 0 Whistler@MBR code has been found 13:11:00.062 Disk 0 MBR hidden 13:11:00.078 Disk 0 MBR [Whistler] **ROOTKIT** 13:11:00.093 Disk 0 trace - called modules:

I’ve tried running ASWmbr earlier, the fix option wasn’t available after scanning.
I’ve just redownloaded it and ran it again, the fix option is still not available after the scan.

OK thank you I will pass that on to GMER. Could you e-mail me the ASWMBR.dat file - it should be on your desktop. I will PM my e-mail address

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

I’ve followed your instructions and ran TDSSKiller.
The results of the scan revealed:
Trojan-Clicker.Win32.Wistler.a
Physical Drive
Name: \HardDisk0
as well as a suspicious file with the exact same details as the one in the screencap below.
However, when i chose continue, it says
Can’t cure MBR. Write standard boot code?

Do i go ahead and select Yes?
Sorry for the trouble.

Select yes. What is the make of your computer ?

I’m sorry, i do not have much knowledge on IT and stuff, so i don’t get what you mean by the make of my computer.
My father built this computer by himself though.

On another note, TDSS tells me that the infection will be cured after reboot.
It states
\HardDisk0 - processing error
\HardDisk0 - will be restored after reboot

Will now restore and paste the report here.
Also, is there anyway to double confirm whether my other files on my computer and ext HD(videos,pictures,songs) have been infected by any virus?
Thanks a lot for the help, it is very much appreciated.

Reboot completed, here is the log from TDSS.

Is Avast still detecting whistler ?

Your other files should be safe

OK as it was home built it will not have a specialist MBR

The other logs looked OK

Any other problems ?

The suspicious file detected by TDSS earlier still remains, is it due to the skip option?
Also, is there anyway for me to find out what could have caused this rootkit infection so that i can take precautions against it in the future?

If the suspicious one is SPTD then that is safe part of your cd emulation

Very difficult to say where this came from - it may have been a drive by download, did you have any other symptoms apart from the Avast alert ?

I believe there were random pop ups from IE in the recent past when i was not using it, but when i scanned using mbam and avast in the past it showed no signs of infection, in fact avast only detected it this morning.

Is it safe to say that the virus has not taken any personal information or caused damage to any programs?
Also, is using avast and mbam enough to keep my computer protected?
Sorry for having bothered you so much today, your help is very much appreciated.
Oh, and regarding my external hard drive, can i consider it clean if a scan by avast and mbam turns up with no infections later on? (MBRcheck states that my ext HD has an unknown MBRcode)

Edit: Ah that’s right, the log from GMER showed the process Internet Explorer with hidden behind them, have they been fixed with TDSS?
I’ve also just finished scanning with avast, no threats found now.

Could you post the GMER log so that I can have a quick look see, just attach it

I always think it advisable to change passwords after having a TDL type infection

Avast and MBAM should be sufficient, however, there is no such thing as 100% safe as the malware writers are always one step ahead

As long as the external HDD is not bootable then the MBR is not an issue

hello, i am having the exact same problem. i had AVG anti-virus but no viruses were shown. however i knew i had one because all of a sudden a blue screen will appear, something to do with driver problem, and then my laptop would restart.

i have no downloaded AVAST 6.0 and it detects the virus. however when i try to move it to the chest , it says error.
i have done the boot start up and it comes out clean, and starts laptop up normally.
i am running the AVAST antivirus again, and i have just got a thing that has popped up saying SUSPICIOUS FILES FOUND . and the file name is \.\PHYSICALDRIVE0 MBR:TDL
\.\PHYSICALDRIVE0 MBR:TDL

i have already taken the action to delete it but this message still comes up.
When i run a quick scan or full scan , withing seconds, a virus is detected. this is called MBR: \.\PHYSICALDRIVE0 , and the status is 'Threat:Rootkit:hidden boot-sector.

i restart the laptop when AVAST asks me to, and i have done many of the BOOT START UP SCAN. and it still does not go.

can you please help me on what else i can do?

OK the main Avasrt programme at this stage cannot repair it but there is a standalone version that works

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture.jpg

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2.png

Click the “Fix” in case of infection

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR3.png

Save the aswMBR.log to the desktop. Then post the log in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR4.png

THEN

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Click on Minimal Output at the top
[*]Click on Scan all users
[*]Download the following file scan.txt to your Desktop. Click here to download it. You may need to right click on it and select “Save”
[*]Double click inside the Custom Scan box at the bottom
[*]A window will appear saying “Click Ok to load a custom scan from a file or Cancel to cancel”
[*]Click the Ok button and navigate to the file scan.txt which we just saved to your desktop
[*]Select scan.txt and click Open. Writing will now appear under the Custom Scan box
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Please Attach all logs