Good Afternoon from Greece,
excuse me for my poor english language knowledge, but English is not my native language!

I’m a happy Avast Home user, have been using Avast for 1 year or sth continuously!
Last month I’d been infected by some malwares and virouses (I’m neither an unexperienced user nor an expert. So, I consider myself as an intermediate computer user). To be honest, I have no idea where did these virouses and malwares came from, but I don’t care a lot about that, cause I’ve had Avast Home and MBAM remove anything suspicious from my pc!
Avast recently told me to upgrade to a new version (i’m talking about software, not the database) and I updated. Then, I restarted my pc and all seemed fine, as the Avast started up correctly, updated automatically without experiencing any problems. At some random time yesterday, I had nothing to do and I was looking Avast Home’s Main Menu and I did a manual Database update, although it was up-do-date. Right after the update, Avast showed me something about a Rootkit (I know what a Rootkit is). Avast told me, that the Rootkit was located somewherE in “MBR://PHYSICALDRIVE0” (i’m not sure for “MBR://” but I think it has to do with motherboard. I know that PHYSICALDRIVE0 is my “C:”). As I’ve just finished my update, I thinked that that would be an Avast’s mistake and I ignored it. It appeared again with “MBR://PHYSICALDRIVE4” and I ignored it again. After 10-15 minutes happenned exact the same! I then selected “Delete” and I was prompted to have a “Pre-boot Virous Check” and so I did. My pc restarted automatically and my pc was checked without Avast having found any virous. Next time I opened my pc, I just Deleted the Rootkits again, without having my pc restarted. Today, I was extremily busy and the message was appearing again. I don’t know why, but I did the mistake to select “Don’t notify me anymore for that rootkit” (That’s my translation…I don’t know the exact phrase, as I have Avast in Greek) for both virouses.
Since then, I’m not experiencing any problems, but I’m afraid that I really may have been infected by a Rootkit.

I did a little search in the forum, and I saw that you prompt the users to post HiJack’s and Random Systems Information Tool’s Reports. I have my reports saved and If you need them, I’ll post them immediately!

Thanks in advance for your help and I’m sorry for the length of my message!
I wish you all and your families happy new year with a lot of health, power and success!

Edit: I forgot to let you know that I’m a Windows 7 32bit User!
2nd Edit: I was reading log.txt from Hijack and found some suspicious things (I don’t see any of these in proccesses). There are around 5 files called prkes.exe duop.exe blahblah in the following directory "C:\Users\dtryfo (my user name)" that I’m sure they are virouses, and I am surprised why did Malwarebytes or Avast didn’t catch any of these. The most of the virouses I had to deal with last month were like these. They were called “baufop.exe” and they had weired names, but I thinked then that I got rid of them! Probably, I’ve had the rootkit since then and it now created new files…

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(do not post log`s in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt.)

Good Afternoon from Greece!

Thanks for your support. If I attached my files correctly, I think you should be seeing 'em right now!

I forgot to mention in my previous post, that since the first viruses appeared I’m becoming BSODs at random times. Basically, I’m getting these BSODs when I overload my computer (when I’ve a lot of programs openned). The error code is 0x0000007E and is caused by “ntrklnpa.exe” (I got that info from Bluescreenviewer). But I still don’t know if that’s caused from the virus.
Additionally, my ram is always 1gb loaded, even if I have only Notepad open, but I don’t know if that happened after the virus.

Thanks again for your help!

The files were too big (exceeded 200kb) and I have to post the 2nd file (otl.exe) in a second post!

Hi that is the TDL4 bootkit

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

Good Afternoon!

I did what you had me do and I think that all is gone now!

I used the TDSSKiller, which “cured” the Rootkit for me. I then restarted my computer and TDSSKiller didn’t find any threats!

I also had my computer scanned with SUPERAntiSpyware, Avast and MBAM before the TDSS and they didn’t found anything. I don’t have a lot of time now, so I’ll have my computer scanned again tomorrow!
Is there any other Rootkit Remover application to be sure that my computer is finally virusfree?

I should admit that your help and support was free but EXCELLENT and 5* Level
Thanks for assisting me!
Andreas from Greece

Nothing else was apparent on the OTL log, so could you run Malwarebytes to check for orphans

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Thanks!

I did a full scan with MBAM (Malwarebytes) before the TDSSKiller and all was fine.
I’ll do another now or tomorrow!

Aaah it would be nice if you could answer a last question for me: Now that the Rootkit is gone may the BSODs stop? I didn’t want to “push” my computer now until an BSOD is appeared but may the BSODs came from the virus?

Thanks again for assisting me and providing me with that HELPFUL information!

They should now stop - if they do not then let me know and we will investigate that

Run OTL and hit the cleanup button

Ok! If there is anything wrong regarding BSODs in the future, I’ll ask for your help!
I’m now scanning my pc with MBAM with a full scan and I’m waiting for the results;)

Good Afternoon,

I think I’m still infected with something! I did checks with Avast, MBAM and TDSSKiller (in case the rootkit “reappeared”) but all seems clear. BSODs are gone and anything is fine, but (i don’t know exactly when) somebody uploaded a malicious script to all of my pages (I have a website) through FTP, that was stopped by Avast. It was something like “js-iframe trojan…” I’m using Filezilla Client and I don’t use any hacked or cracked programs.
Is it possible, that when I had the rootkit, someone “stold” my ftp password and used it last week? I have the ip of the visitor, but I don’t have any way to use it.

Do you need any reports from programs like OTL etc.?

Thanks in advance!

If Avast stopped it, then it is your site that is infected and not your system. Do you have any clean backups that you could upload ?

Thanks for your reply!

Yes, I restored the last clean backup and all is fine now. Additionally, my hosting provider blocked his ip from my hosting’s network.
But I still wonder, how did he find my password.

Thanks in advance!

As for that I am not sure as there was no indication of a password stealer.

Ok! I trust you!
I’ll inform you if there is any indication like this in the future

My pleasure