Avast found a rootkit virus but it doens’t delete. How do you eliminate this threat?
Hi,
Please read this guide:
http://forum.avast.com/index.php?topic=53253.0
Run this diagnostic tool from guide and attach here reports from thouse tools.
someone will notify essexboy to review logs.
Thank you for the quick response. Here is the data:
MBAM Scan -
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.14.06
Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Mike :: MIKE-PC [administrator]
2/14/2012 8:49:23 PM
mbam-log-2012-02-14 (20-49-23).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 180340
Time elapsed: 3 minute(s), 32 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
you may like to try aswmbr and GMER they can remove it
Please stay out of malware removal topics until you are qualified to assist. Magna86 has already started the ball rolling and he or essexboy will follow it up.
Could you run aswMBR please as that will show me the problem area
Log is attached:
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-18 07:55:33
07:55:33.139 OS Version: Windows x64 6.1.7600
07:55:33.139 Number of processors: 2 586 0x602
07:55:33.139 ComputerName: MIKE-PC UserName: Mike
07:55:46.461 Initialize success
07:55:46.695 AVAST engine defs: 12021800
07:55:50.065 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\0000005c
07:55:50.065 Disk 0 Vendor: Hitachi_ PB4O Size: 476940MB BusType: 11
07:55:50.096 Disk 0 MBR read successfully
07:55:50.096 Disk 0 MBR scan
07:55:50.112 Disk 0 Windows 7 default MBR code
07:55:50.112 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12000 MB offset 2048
07:55:50.143 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 24578048
07:55:50.159 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 464838 MB offset 24782848
07:55:50.190 Disk 0 Partition 4 00 17 Hidd HPFS/NTFS NTFS 1 MB offset 976771072
07:55:50.205 Disk 0 Partition 4 INFECTED MBR:Alureon-K [Rtk]
07:55:50.221 Service scanning
07:55:52.951 Modules scanning
07:55:52.951 Disk 0 trace - called modules:
07:55:52.998 ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys ACPI.sys storport.sys hal.dll amdsata.sys
07:55:53.013 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004a74760]
07:55:53.013 3 CLASSPNP.SYS[fffff8800191843f] → nt!IofCallDriver → [0xfffffa80045cf7f0]
07:55:53.029 5 amdxata.sys[fffff880010758b9] → nt!IofCallDriver → [0xfffffa80045cf2d0]
07:55:53.045 7 ACPI.sys[fffff88000eca781] → nt!IofCallDriver → \Device\0000005c[0xfffffa80045cb350]
07:55:54.371 AVAST engine scan C:\Windows
07:55:59.285 AVAST engine scan C:\Windows\system32
08:01:27.447 AVAST engine scan C:\Windows\system32\drivers
08:01:54.747 AVAST engine scan C:\Users\Mike
08:05:56.142 AVAST engine scan C:\ProgramData
08:06:40.898 Scan finished successfully
08:08:26.370 Disk 0 MBR has been saved successfully to “C:\Users\Mike\Desktop\MBR.dat”
08:08:26.385 The log file has been saved successfully to “C:\Users\Mike\Desktop\aswMBR.txt”
OK it seems as though Avast is stopping the malware from being active (which is good) but is unable to remove it automatically
Go Start > Run
Type in compmgmt.msc
Select Storage
Select Disc Management
Locate the 1 Mb partion (4)
Right click and select delete
Rerun aswMBR and post the log please
I’m a little lost right now. I’ve gotten to the screen you show in the your last post but I don’t know what or where to go from there. I can’t figure out how to navigate on that screen.
You need to locate the fourth partiton on the far right, it will be small, just 1 Mb
Right click that from the disc management screen
Select delete
Thank you. The light bulb finally went off. Here’s the new scan:
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-19 08:21:55
08:21:55.152 OS Version: Windows x64 6.1.7600
08:21:55.152 Number of processors: 2 586 0x602
08:21:55.152 ComputerName: MIKE-PC UserName: Mike
08:21:57.648 Initialize success
08:21:57.710 AVAST engine defs: 12021900
08:22:00.066 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\0000005c
08:22:00.066 Disk 0 Vendor: Hitachi_ PB4O Size: 476940MB BusType: 11
08:22:00.097 Disk 0 MBR read successfully
08:22:00.097 Disk 0 MBR scan
08:22:00.113 Disk 0 Windows 7 default MBR code
08:22:00.128 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12000 MB offset 2048
08:22:00.144 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 24578048
08:22:00.144 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 464838 MB offset 24782848
08:22:00.159 Service scanning
08:22:01.875 Modules scanning
08:22:01.875 Disk 0 trace - called modules:
08:22:01.907 ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys ACPI.sys storport.sys hal.dll amdsata.sys
08:22:01.922 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004a64420]
08:22:01.938 3 CLASSPNP.SYS[fffff880019a043f] → nt!IofCallDriver → [0xfffffa80049a9040]
08:22:01.953 5 amdxata.sys[fffff880010828b9] → nt!IofCallDriver → [0xfffffa80049a8d30]
08:22:01.953 7 ACPI.sys[fffff88000f93781] → nt!IofCallDriver → \Device\0000005c[0xfffffa80049a5060]
08:22:03.404 AVAST engine scan C:\Windows
08:22:07.725 AVAST engine scan C:\Windows\system32
08:25:03.429 AVAST engine scan C:\Windows\system32\drivers
08:25:12.929 AVAST engine scan C:\Users\Mike
08:29:59.876 AVAST engine scan C:\ProgramData
08:30:44.289 Scan finished successfully
08:31:36.128 Disk 0 MBR has been saved successfully to “C:\Users\Mike\Desktop\MBR.dat”
08:31:36.128 The log file has been saved successfully to “C:\Users\Mike\Desktop\aswMBR.txt”
How is the computer behaving now ?