I have had what appears to be a rootkit on my computer for about a month now. I would have removed it already but this one is very clever at disabling my computer’s own repair system. I choose to repair my computer and it gives me the load screen indefinitely. I then waited for Dell to send me a reinstall disk for my computer and then backed everything up. I had no idea what kind of virus was on my computer until I was selecting which partition to use for reinstallation. There were four listed, the OEM partition at 100 MB, the primary partition at 750 GB, the repair partition at 19 GB and this odd partition4 which has 0MB.

I realized that was what avast was catching on startup as MBR://./PHYSICALDRIVE0 but was unable to remove with a boot time scan. I didn’t know the significance of the rootkit virus but after some research I understand the severity of it. I am more than willing to reformat but my question is should I be worried about this partition it has created? Will it come back after reformatting? I don’t want to leave my system bare so that the rootkit comes back in full force. From tutorials I have seen, reinstalling the OS will usually allow you to delete the partitions you have but I can’t do it with partition4 as it gives me an “I/O” error.

Does this matter? Should I just reinstall on the primary drive and everything will be cleared?

Additionally, the rootkit is disabling a few features like I mentioned before and it won’t let me run from a boot DVD on startup, I just skip to login every time I try to start with boot from disk. I’m worried now that it somehow disabled safemode as I can’t see it on boot menu screen. I can’t even run tdsskiller.exe but that might be something unrelated to the rootkit for all I know.

Help?

follow this guide:
http://forum.avast.com/index.php?topic=53253.0

attach all logs here.

then one our malware remova helpers will get u up and running…

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.25.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Tadeh :: TADEH-PC [administrator]

2/25/2012 3:47:37 AM
mbam-log-2012-02-25 (03-47-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205826
Time elapsed: 5 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

I cannot seem to run the aswMBR.exe. It pops up for an instant in task manager then goes away. That is the same problem I have had with tdsskiller.exe

Here’s the extra file from the OTL.

Hi there I know where the problem is and how to remove it

Preferably from a clean computer, I need you to download: gparted-live-0.11.0-7.iso (115.1 MB)
To the desktop

Create a Windows 7 System Repair Disc:

Note: the below can only be done if your machine has a a type of CD/R or DVD/R optical drive installed. Also depending on the exact type of OEM your machine has you may be unable to actually create a SRD.

[*]Click on Start(Windows 7 Orb) >> Run…, then copy/paste the following command into the box and click on OK:

recdisc.exe 

[*]Allow the UAC(User Account Control) prompt via selecting Yes.
[*]You should now see a menu like the below:-

http://i280.photobucket.com/albums/kk173/Dakeyras_album2/WTSRD1.gif

[*]Put a blank rewritable CD/DVD in your optical(CD/DVD) drive and then click on Create disc.

A blank CD/R or DVD/R can be used also…

[*]Note: If a AutoPlay window pops up, just close it.
[*]When the SRD has been created you will see similar to the below:-

http://i280.photobucket.com/albums/kk173/Dakeyras_album2/WTSRD2.gif

[*]Now click on Close >> OK.
[*]You now have a Windows 7 System Repair Disc.

Please note: The above can be created with either a 32 or 64 bit Operating System. However the disks are not interchangeable…IE a 32 bit Startup Repair Disk cannot be used on a 64 bit Operating System and vice versa otherwise damage may be caused rather than any actual repairs implemented.

The differences between the aforementioned can be read in this Microsoft Article:-

32-bit and 64-bit Windows: frequently asked questions

Create a bootable CD for Gparted from the ISO images. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png

You should be here…
Press ENTER

http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png

By default, “do not touch keymap” is highlighted. Leave this setting alone and just press ENTER.

http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png

Choose your language and press ENTER. English is default [33]

http://img140.imageshack.us/img140/7958/gpartedgui.th.png

Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below

http://img32.imageshack.us/img32/1122/gpartedo.th.png

According to your logs, the partition that you want to delete is 0Mb partition4 which has 0MB.

Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:

http://img233.imageshack.us/img233/1533/gpartedsteps.th.png

Now you should be here:

http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png

http://img194.imageshack.us/img194/7753/gpartedboot.th.png

Is “boot” next to your OS drive?

If “boot” is not next to your OS drive under “Flags”, right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:

http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png

Now double-click the
http://img822.imageshack.us/img822/641/gpartedexit.png
button.

You should receive a small pop up like this:

http://img88.imageshack.us/img88/8986/gpartedexitreboot.png

Choose reboot and then press OK.

Now reboot from the Windows 7 Recovery Environment CD and execute the following commands:
When you reboot you will see this although yours will say windows 7.

Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following

bootrec /FixMbr
bootrec /FixBoot
exit

Once back in Windows.

If you are unable to get to windows then run the recovery disc again and select this option:

Startup Repair

THEN

Retry aswMBR and post the scan log

OK, I did the repair disk and that is currently in my drive, so what happens to it? I just leave it in there? I figure the bootable CD for the gparted is support to be a hard copy not virtual right? In that case, I make a copy of the image on a bootable disk then load that at boot up, correct? Then the repair disk is on hold for the startup repair?

And is it possible that the rootkit would not allow a run from the bootdisk even after setting it up in BIOS?

Remove the recovery console disc for now (keep this disc though as it is very useful to have)
Create and then boot from the Gparted disc to reset the partition data
You should then be able to go straight to normal windows
If that fails then use the recovery console disc to reset the boot sequence

Ok, I did a few things before getting your message.

I did the whole gparted process and rebooted.

But I didn’t go straight to normal windows. I didn’t understand from your previous part what that repair disk was meant to do so I didn’t use it. The startup just kept saying BootMgr wasn’t working and I tried the windows 7 reinstall disk and tried to repair it like you had in the tutorial.

It looked OK until I was supposed to pick the OS partition, unfortunately nothing popped up, the dialog box was blank, devoid of any Hard drive. I tried to go to drivers but nothing I did there worked either.

I clicked Next to see what happens and it took me to next step anyway. I went through the command prompt actions and then restarted.

The Bootmgr problem occured again and the only option was to restart. I was fed up so I just went to the reinstall disk again and then formatted the main drive. Partition4 with 0mb didn’t showup again, so I figure it is gone.

Right now I have a fresh install of Win7 and I checked Disk Management to see all of the partitions right away. It’s just the 3 regular ones I mentioned in my first post and the Resource CD I currently have (for driver installations).

I’m sorry that I didn’t catch your post about booting from the repair disk as I would have just done that. Anyway, am I OK now by the looks of things? A format and fresh install should set the HD back to basic right? Is there any follow up, anything I should do now?

To confirm that it has gone then run aswMBR

A full drive reformat will clear the miscreant

Gparted removed it and using the recovery console would have reset the boot sequence

That is the trouble with time zones unfortunately

I attached the scan log .txt file but left the .dat file alone.

Just to make clear, my reformat of the main drive did clear it? Nothing to worry about, no hidden code or something?

Not there any more aswMBR shows clean ;D

10:46:46.677 Disk 0 Windows 7 default MBR code 10:46:46.692 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 101 MB offset 63 10:46:46.708 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 20000 MB offset 212992 10:46:46.708 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 695299 MB offset 41172992