Rootkit - MBR: \\.\PHYSICALDRIVE0

My Avast! scan logs keep saying I have a rootkit called “MBR:\.\PHYSICALDRIVE0” which I’ve tried to send to chest several times to no avail. It doesn’t show up on the boot scans and I’ve had blue screen twice so far; once last night when I first got the rootkit and again today when I turned on my networking. When I managed to get it into safe mode, my laptop restarted itself before I could do anything.

Any help on fixing this will be much appreciated.

You can check if you have an MBR rootkit using this tool:

I tried running it and I got blue screen. I tried again in safe mode only to get a blue screen again. The error I got was “DRIVER_IRQS_NOT_LESS_OR_EQUAL” What should I do?

You can try another rootkit tool, but if that can’t run either, I don’t know if that is down to the existing rootkit blocking security tools.

Okay, I scanned it successfully. Here is the log. I removed the unimportant stuff.

2011/06/26 18:00:34.0734 1840	\Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/06/26 18:00:34.0765 1840	================================================================================
2011/06/26 18:00:34.0765 1840	Scan finished
2011/06/26 18:00:34.0765 1840	================================================================================
2011/06/26 18:00:34.0781 1152	Detected object count: 1
2011/06/26 18:00:34.0781 1152	Actual detected object count: 1
2011/06/26 18:00:53.0111 1152	\Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/06/26 18:00:53.0111 1152	\Device\Harddisk0\DR0 - ok
2011/06/26 18:00:53.0111 1152	Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure 
2011/06/26 18:01:03.0797 1844	Deinitialize success

OK as the log says you will need to reboot to effect the cure. If you haven’t done that then do so.

Let us know if avast alerts again after the reboot.

Already done. Thank you so much for all your help. :slight_smile:

No problem, glad I could help.

Welcome to the forums.