Hello, newbie here. =)

I appear to be having the same problem as described in this thread:
http://forum.avast.com/index.php?topic=36318.0

Here is a screen shot of the Avast! alert:

http://img822.imageshack.us/img822/2516/18068621.png

After displaying this alert, Avast! then instructs me to delete the file, so of course I click “OK” to let Avast! do what it’s told me to do, Avast! then instructs me to run a computer scan, of course I do this - the computer scan says zero infected files, Avast! keeps flagging up this possible rootkit thing and repeats it’s instructions to delete then run a scan.

If it helps, the antivirus I’m currently using is the downloaded Avast! Free Antivirus.

I am at a complete loss as to what to do as I don’t know much about this stuff.

Thank-you all who read this for your time and interest, it’s greatly appreciated. Best wishes and kind regards.
Any help and advice would be greatly appreciated, just please bear in mind I’m not all that familiar with technical terms and this area of computing in general.

If avast! can not get rid of the rootkit, try Dr. Web Cureit. Do the express scan. It is very good at cleaning mbr rootkits.

http://www.freedrweb.com/cureit/?lng=en

Another that will cure an mbr rootkit would be Prevx.

http://info.prevx.com/downloadcsi.asp

You could also try F-Secure black light.It’s easy to use, small.and does the job

you probably have TDL4 rootkit, try running a scan with TDSS Killer:http://support.kaspersky.com/viruses/solutions?qid=208280684

Hello Pony_Girl,

I will notify essexboy, the malware expert. He will be here by 08:00pm - 11:59pm UK time

@Pony_Girl

Please take a look at the file:

C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\log\aswAr.log

In case of TDL infection you should see :

avast! Antirootkit, version 1.0 Scan started: Tuesday, February 01, 2011 10:03:42 AM

Process [4]
…
Device \Device\Ide\IdeDeviceP0T0L0-3 → ??\IDE#DiskMaxtor_6Y120P0__________________________YAR41BW0#335930334d57455920#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
Device \Driver\atapi → DriverStartIo 816b7abf
Disk 0 MBR [TDL4] ROOTKIT

Thanks

@ All who’ve kindly taken the time to read and respond to my thread: Thank-you. =)
It’s annoying knowing this problem probably is what I think it is, but at least now I know what it could be I can get round to getting it sorted and find something suitable to protect the computer from it in the future. =)

@ gmr:
On your latest post in this thread… Would I be wrong in assuming that what you’re instructing me to do is in order to determine wether or not this is a TDL infection? Just curious.

Please send your aswAr.log file to: gmerek(at)avast.com

Hi GMER does this also detect whistler ?

Hi essexboy,

Yes, AVAST can detect most of MBR rootkits.

Alureon@mbr Sinowal@mbr Whistler@mbr

Ta ;D

Any progress on the cleaning front ? Although even TDSSKiller and Combofix are finding it hard to clear the latest variant

@essexboy

here is something you might like to check out

http://public.avast.com/~gmerek/aswMBR.htm

any feedback or comments are welcome

Guess what - I will use this tool at the next available opportunity. ;D Is this for general release or currently under test ?

EDIT: Win7 64bit run as admin

aswMBR version 0.9 Copyright(c) 2010 avast! Software Run date: 2011-02-01 21:15:26 ----------------------------- 21:15:26.894 OS Version: Windows x64 6.1.7600 21:15:26.894 Number of processors: 2 586 0x4B02 21:15:26.894 ComputerName: MARTIN-PC UserName: Martin 21:15:27.752 Initialze error - driver not loaded

I will try on my winxp vm next

Works on 32 bit systems ;D

@essexboy, this tool is avalible for avast! community

it works on x64 however its driver is not signed yet

to run it on x64 you must “Disable Driver Signature Enforcement” (press F10 before the OS starts)

I have two disks, but aswMBR shows the same size for both HDDs:

14:49:56.660 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP3T0L0-6
14:49:56.660 Disk 0 Vendor: INTEL_SSDSA2M160G2GC 2CV102HD Size: 152627MB BusType: 11
14:49:56.663 Disk 1 \Device\Harddisk1\DR2 → \Device\000000c9
14:49:56.666 Disk 1 Vendor: WD______ 1.75 Size: 152627MB BusType: 7

Thanks Petr, it indeed for all disks shows boot disk size.

Fixed, new version uploaded.

Ok and thanks - trying it now on one here that MBRCheck has failed on

Should it scan MBR on all available HDDs? It seems, it scans only Disk 0.
Timestamp is not local, but in GMT.

It scans boot disk (in most cases its number is 0)