Just got hold of a 2nd hand pc and upon getting it set up and running avast on it it has detected malware. System is running xp

Root Kit Hidden Boot-sector MBR:\.\PHYSICALDRIVE0

Just wondering how i can get rid of this as it still comes back after avast saying it’s removed it. I notice this has been asked a few times on the forum but people always get told to do different things depending on what the logs say

First I will need to see what the variant is

Download aswMBR.exe ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://dl.dropbox.com/u/73555776/aswMBRscan.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://dl.dropbox.com/u/73555776/aswMBRlog.png

THEN

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
WSHELPER.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-18 20:20:23

20:20:23.703 OS Version: Windows 5.1.2600 Service Pack 3
20:20:23.703 Number of processors: 2 586 0x304
20:20:23.718 ComputerName: USER-76814CAF25 UserName: user
20:20:28.640 Initialize success
20:20:41.468 AVAST engine defs: 12061801
20:20:52.328 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP1T0L0-17
20:20:52.328 Disk 0 Vendor: ST3250310AS 3.AAC Size: 238475MB BusType: 3
20:20:52.328 Device owAZEVAoRGRCZ → DriverStartIo RGRCZ@J@ f8666864
20:20:52.375 Disk 0 MBR read successfully
20:20:52.375 Disk 0 MBR scan
20:20:52.546 Disk 0 Win32:MBRoot-J [Trj]
20:20:52.546 Disk 0 Windows XP default MBR code found via API
20:20:52.546 Disk 0 MBR hidden
20:20:52.546 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63
20:20:52.578 Disk 0 MBR [Win32:MBRoot] ROOTKIT
20:20:52.578 Disk 0 trace - called modules:
20:20:52.578 ntoskrnl.exe CLASSPNP.SYS disk.sys aswSP.SYS >>UNKNOWN [0x82f6b000]<<
20:20:52.578 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x82f14ab8]
20:20:52.593 3 CLASSPNP.SYS[f8756fd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP1T0L0-17[0x82f16b00]
20:20:53.000 AVAST engine scan C:\WINDOWS
20:21:26.953 AVAST engine scan C:\WINDOWS\system32
20:25:08.343 AVAST engine scan C:\WINDOWS\system32\drivers
20:25:33.593 AVAST engine scan C:\Documents and Settings\user
20:45:03.328 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\user\Desktop\MBR.dat”
20:45:03.562 The log file has been saved successfully to “C:\Documents and Settings\user\Desktop\aswMBR.txt”

I will have to post the 2 otl logs in 4 separate parts as its not allowing me to post it all in one post

Attach the text files

Details are here http://forum.avast.com/index.php?topic=53253.0

Thanks

OK lets get at it… Be advised that I can see three Antivirus programmes on the system, you need to bring that down to one

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL DRV - [2012/06/15 19:54:45 | 000,079,360 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bubpzzaqy.sys -- (bubpzzaqy.sys) DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xpsec.sys -- (xpsec) DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xcpip.sys -- (xcpip) IE - HKLM\..\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}: "URL" = http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm265YYGB&fl=0&ptb=IMkaQ1FPMHwiwgK7jBi3LQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms} IE - HKCU\..\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}: "URL" = http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm265YYGB&fl=0&ptb=IMkaQ1FPMHwiwgK7jBi3LQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms} O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O30 - LSA: Authentication Packages - (C:\WINDOWS\system32\ddcCTMdE) - File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Re-Run aswMBR

Click Scan

On completion of the scanClick the Fix Button

http://dl.dropbox.com/u/73555776/aswMBRwhistler.png

Save the log as before and post in your next reply

FINALLY

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

After letting otl run with the coding that I was to paste in. Once the system had rebooted I am unable to run otl to do the quick scan. I’m gettin a message sayin. The application or DDL C:\WINDOWS\system32\uxtheme.DLL is not a valid windows image. Please check this agains your installation diskette.

No programs seem to be working inc internet explorer so doing this from a mobile phone

Essexboy is in bed now…but back tomorrow

Yeah that’s fine. Just left it after that anyway was bed time aswell L. Won’t get back to it after work tonight

Looks Like I stopped the bad boy to early

Can you reboot the computer - pressing F8 continuously
Select safe mode and restore the computer to yesterday
If that fails then select last known good from the same menu

I restarted it this morning before i went to work an everything seems to be working now. Should I run OTL now?

No go direct to combofix please that is a bit more refined in the removal ;D

Ran that one but so far through and a blue screen came up saying it had shut system down due to a bad pool header.

I rebooted as it said an now no icons on screen. Should I restore it back to a later point?

Scrap that tried reboot again an there back up again.

Could you run a Fresh aswMBR scan and a fresh all user OTL scan please

Done both them

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-19 21:49:50

21:49:50.125 OS Version: Windows 5.1.2600 Service Pack 3
21:49:50.140 Number of processors: 2 586 0x304
21:49:50.140 ComputerName: USER-76814CAF25 UserName: user
21:50:05.828 Initialize success
21:50:12.109 AVAST engine defs: 12061900
21:50:18.765 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP1T0L0-17
21:50:18.765 Disk 0 Vendor: ST3250310AS 3.AAC Size: 238475MB BusType: 3
21:50:18.765 Device owAZEVAoRGRCZ → DriverStartIo RGRCZ@J@ f8666864
21:50:18.781 Disk 0 MBR read successfully
21:50:18.781 Disk 0 MBR scan
21:50:18.859 Disk 0 Win32:MBRoot-J [Trj]
21:50:18.859 Disk 0 Windows XP default MBR code found via API
21:50:18.859 Disk 0 MBR hidden
21:50:18.875 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63
21:50:18.906 Disk 0 MBR [Win32:MBRoot] ROOTKIT
21:50:18.906 Disk 0 trace - called modules:
21:50:18.906 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82f7c000]<<
21:50:18.906 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x82f7aab8]
21:50:18.937 3 CLASSPNP.SYS[f8756fd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP1T0L0-17[0x82f5ad98]
21:50:25.875 AVAST engine scan C:\WINDOWS
21:51:30.921 AVAST engine scan C:\WINDOWS\system32
21:55:49.750 AVAST engine scan C:\WINDOWS\system32\drivers
21:57:03.859 AVAST engine scan C:\Documents and Settings\user
22:14:59.828 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\user\Desktop\MBR.dat”
22:15:00.015 The log file has been saved successfully to “C:\Documents and Settings\user\Desktop\aswMBR1.txt”

And attached the OTL one

Ok it does not appear to want to go

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Done that but when I go to the report it won’t let me right lick to copy it. Would it work if say i took a screen shot an then posted it as a pic?

http://i192.photobucket.com/albums/z40/krypton5/untitled.jpg