rootkit on boot sector

Hello
I have been fighting this infection for a week now.
I am about ready to give up and reformat my drive. it is a big deal because I have a lot of programs installed.
I ran:
Norton suite (froze the computer) removed
Karpersky suite: remove viruses but cannot remove the trojan in the HD boot sector
Created Norton rescue disk
Karpersky rescue disk
reboot from rescue disk
ran Karpersky suite remove viruses but cannot remove the Trojan in the HD boot sector

05:39:07.0593 2288 MBR (0x1B8) (4661f953f30d48fd76a9da73c4892179) \Device\Harddisk0\DR0
05:39:07.0625 2288 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
05:39:07.0625 2288 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)

Tds killer remove viruses but cannot remove the Trojan in the HD boot sector
Malwarebytes
Enset online scan: no threat found
ran Combofix
ran Saphos virus removal tool

I looked at some of the threads on the forum one thing I didn’t do is
is use OTL with the scrip. and I don’t know how to do that.
I am also wondering if the computer is really booting from the rescue disk.

That’s the sad state of affair.

I hope you can help.

I attached the OTL log.

Thanks

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

Hello I re-ran all the program on your list.

here are the logs.

I did not run the fixes.

Thanks

Good. Now you’ve to wait a bit. :wink:

Hi,

You said that you ran ComboFix and TDSSKiller? Could you attach those logs as well please?

OK I feel a little embarrassed.
I re-run tdskiller, nothing. I reinstalled Karpersky suite and ran the scan… nothing.

The problem is that I don’t know what worked.
Still let me attached the files

I don’t know if you will be able to tell which cured the problem.

If I recalll asw had a few files that I deleted.

Anyway, thanks I will contact you again if I am still infected, but so far so good.

Hi,

Looks like you have a major infection that has been partially removed.

WARNINGUnfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.

Disable your AntiVirus and AntiSpyware applications.

Double-click on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.

I was all happy everything looked clean…

Ok I want to give it one shot and then I will have to bite the bullet and resinstall everything.

So I have downloaded combofix, and actually I let Kaspersky run a full scan overnight and it detected the Rootkit.Boot.Pihar.b and it can’t be removed…

Ok What’s next?

Hi,

Using the instructions I provided to you earlier, run a new scan with ComboFix and attach the log created. :slight_smile:

OK it is running.
I have disconnect the internet from the infected compurer and I am reesponding from my laptop.
It is preparing the log shouls be 10 more minutes or so.

Sounds good.

As I am looking at the thread I see it was the Rootkit.Boot.Pihar.c, the last Kaspersky scan showed the Rootkit.Boot.Pihar.b

Ok… :slight_smile:

Don’t you think it is taking too long? It is still preparing the log.

It is frozen.
I am going to reboot it and restart combofix

OK here is the new log

It seems my last post doesn’t show, Anyway here is the log.

Hi Eric1234,

ComboFix does not look horrible. :slight_smile:

Please download TDSSKiller

[*]Double-click to run TDSSKiller.exe
[*]Press Change Parameters
[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
[*]Click on the Start Scan button

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

[*]Copy and paste the log in your next reply

[*]A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.


OTL

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output.
[*]Check the boxes beside LOP Check and Purity Check.
[*]In Custom Scans/Fixes please put the following:
netsvcs
/md5start
consrv.dll
/md5stop
createrestorepoint

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
[*]Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

In your next reply please attach the logs made by OTL and TDSSKiller.

Hello jeffce,

Great you got me worried yesterday

here is the tdsskiller it id not have the cure option. most of the “threats” are programs that I know

ok I need to do an attachment the forum doesn’t let me paste a big paragraph

Now I am doing the OTL