Rootkit Found

Hi

I am hoping someone can please help me.

Avast has found Rootkit. I have tried doing what it suggested - deetingthe files and running the boot scan which i deleted 3 files also, seems that it didnt work. I have also done the anti malware scan with malwarebytes but 10 mins later i have another message from avast pop up.

The previous message was Win32 MBroot
now it is MBR:\.\Physicaldrive0

I have done some searches on google but cant seem to find a definite answer on what to do to fix this problem…?

Please help :frowning:

did malwarebytes detect anything?..if so post the log

aswmbr log
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-04 18:46:09

18:46:09.389 OS Version: Windows 6.0.6001 Service Pack 1
18:46:09.390 Number of processors: 2 586 0xF0D
18:46:09.395 ComputerName: HOME-PC UserName: Home
18:46:10.750 Initialize success
18:46:15.863 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
18:46:15.869 Disk 0 Vendor: Hitachi_ BB2O Size: 114473MB BusType: 3
18:46:15.897 Disk 0 MBR read successfully
18:46:15.903 Disk 0 MBR scan
18:46:15.909 Disk 0 unknown MBR code
18:46:15.924 Disk 0 scanning sectors +234440704
18:46:15.962 Disk 0 scanning C:\Windows\system32\drivers
18:46:24.904 Service scanning
18:46:27.339 Disk 0 trace - called modules:
18:46:27.359 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
18:46:27.360 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86c1cac8]
18:46:27.361 3 CLASSPNP.SYS[88f9c745] → nt!IofCallDriver → [0x85c446a8]
18:46:27.363 5 acpi.sys[806916a0] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-0[0x85c46030]
18:46:27.364 Scan finished successfully
18:47:44.547 Disk 0 MBR has been saved successfully to “C:\Users\Home\Desktop\MBR.dat”
18:47:44.566 The log file has been saved successfully to “C:\Users\Home\Desktop\aswMBR.txt”

Malware Log
Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19048

6/4/2011 5:40:12 PM
mbam-log-2011-06-04 (17-40-12).txt

Scan type: Quick scan
Objects scanned: 122246
Time elapsed: 15 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gaopdxserv.sys (Trojan.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HDQuality (Trojan.DNSChanger) → Quarantined and deleted successfully.

Files Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HDQuality\Uninstall.lnk (Trojan.DNSChanger) → Quarantined and deleted successfully.

i only did a quickscan in malwarebytes. am now running full scan on all drives will post log

thanks for helping :slight_smile:

your malwarebytes program is veeeeeery old and has never been updated ???

update the program to latest version 1.51.0.1200 and latest signatures 6768

if the manual update does not work, you may download from here
http://filehippo.com/download_malwarebytes_anti_malware/

the aswMBR log looks clean

if not latest version of Malwarebytes does fix this, you may try this

Kaspersky TDSSKiller
http://support.kaspersky.com/faq/?qid=208283363

I got to go out now so i will send a PM to Essexboy…

yeah i realised after… i havent hadto use it for a while… i have updated now

Malwarebytes’ Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6768

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19048

6/4/2011 8:35:16 PM
mbam-log-2011-06-04 (20-35-16).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 301306
Time elapsed: 1 hour(s), 43 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Home\downloads\xvidsetup(2).exe (Adware.Hotbar) → Quarantined and deleted successfully.
c:\Users\Home\downloads\xvidsetup(3).exe (Adware.Hotbar) → Quarantined and deleted successfully.
c:\Users\Home\downloads\xvidsetup(4).exe (Adware.Hotbar) → Quarantined and deleted successfully.
c:\Users\Home\downloads\xvidsetup(5).exe (Adware.Hotbar) → Quarantined and deleted successfully.
c:\Users\Home\downloads\xvidsetup(6).exe (Adware.Hotbar) → Quarantined and deleted successfully.
c:\Users\Home\downloads\xvidsetup.exe (Adware.Hotbar) → Quarantined and deleted successfully.

Nothing showing up here so i am little confused why i am getting these messages from avast…

Run TDSSKiller as Pondus suggested - but looking at the gaopdxserv.sys file MBAM found I may need to use a stronger tool

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

HI

I ran TDSSkiller it found a few things and seemed to have fixed the problem now…

see how it goes

thanks for the help

You should complete the process by posting the contents of the log as essexboy requested.

Yes please as the gaopdxserv.sys is an old variant of a rootkit and there may still be remnants on your system