Serious Rootkit Virus That I Can't Remove..

Viruses and worms
1

Ok so I’m not great with computers but I will try and explain this best I can. A few days ago my Pc got two virus’ with the following names:

MBR:\.\PHYSICALDRIVEZERO

Threat: SINOWAL@mbr[RTK]

Now usually avaast just moves them to the chest or deletes them, i restart the computer and its fine. BUT with these two no such luck. Everytime i restart the computer they appear again, so I go into the avast interface and attempt to delete (or move them) there, but the interface wont allow it, it won’t let me click apply. Avast now frequently tells me to do boot up scans, I’ve done these several times and although it finds the virus it won’t remove it. I have tried the usual stuff, running it in safe mode, and trying there, no effect.

I’ve also scanned with malware bytes, spybot, norman malware and adaware, all could not pick it up.

Any help you guys could offer would be greatly appreciated. thanks,

Jamie

2

i suggest you try a boot scan. sens it sounds like avast is detected them but not able to do anything about it.

http://www.schmahl.net/avastbootscan.php

during the boot scan when avast is finding the virus try send them to the chest (recommended)

you could also give superantispyware a shot.

http://www.superantispyware.com/

ps could be nice if you update on you next post what system you have and what version of avast you using if we most use other tools to dell with your problems.

good luck and let us know how it goes or if you need more support.

3

@jibbyreznor
You are probably infected with a rootkit called TDL3.
Currently ,Antivirus /Spaware /Malware can not removed this rootkit.
Please do the following.

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:
     1. DDS.txt
     2. Attach.txt

Save both reports to your desktop. Post DDS.txt back to topic.

4

Ok I’ve tried superantispyware and although it did find some infected files it did not find the virus avast found.
I have also tried a bootscan but again it finds it just doesn’t delete it. Im currently using XP and Avast 5.1.889.

I have attached the dds log, its too large to post in the message

Thanks again for your help,

Jamie

5

Would you like to copy/paste the contents of this log?
C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\aswBoot.txt

Download AVZ Antiviral Toolkit and save it to your Desktop from here:
http://devbuilds.kaspersky-labs.com/devbuilds/AVZ/avz4.zip

Extract the archive to a folder.

Run AVZ double-click on this icon:

http://blog.brothersoft.com/wp-content/uploads/2008/11/avz_antiviral_toolkit_logo.jpg

Start AVZ. In the menu choose:
File > Custom Scripts
In the window that opens copy/paste everything inside the quotebox below

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
   QuarantineFile('c:\docume~1\jamesb~1\locals~1\temp\aswarkrn.sys','');
   QuarantineFile('c:\docume~1\jamesb~1\locals~1\temp\pohci13f.sys','');
   DeleteFile('c:\docume~1\jamesb~1\locals~1\temp\aswarkrn.sys');
   DeleteFile('c:\docume~1\jamesb~1\locals~1\temp\pohci13f.sys');
   StopService('aswArKrn');
   StopService('pohci13F');
   DeleteService('aswArKrn');
   DeleteService('pohci13F');
BC_ImportDeletedList;
BC_Activate;
ExecuteSysClean;
RebootWindows(true);
end.

Click on the Run and wait for the script execute.

  • Restart your computer

  • Run AVZ
    In the menu choose:
    File> Standard Scripts

In the window that opens select the 2 and click Execute Selected Scripts;
Click Yes

After finishing the scan You will be informed:
Script Executed

exit the program.

Upload file virusinfo_syscheck.zip contained in AVZ\log folder on the forum with attach.

-run DDS program and attach fresh DDS.txt

6

@Magna sinowal is not tdss aka tdl3.Sinowal is a bootkit,tdss is rootkit.@Topic :You may need to use fixmbr or even format.Sinowal is a nasty one.I’ve removed once sinowal.gcu with GMER.There is not any “specific” method to remove a rootkit like sinowal.Unfortunately Mebroot infects a PC’s Master Boot Record (MBR), the first sector on a hard drive, where it’s invisible to ordinary antivirus agents.The installer modifies the boot sector and places the main body of the malicious program on hard disk sectors.

7

The log files are attached Magna 86. I could not however attachd the virus_infosyscheck file because it wont allow me to attach winrar files. Thanks for your input Left123, do you have any ways of getting rid of it other than formatting?

Thanks again for your continued help,

Jamie

8

Is not necessary formatting, only slowly.

9

virus_infosyscheck winrar file send to this site.
http://www.speedyshare.com/
paste download link

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

Run ComboFix.
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Post log reports ( ComboFix.txt) back to topic.

@Left123

I am aware of that. :slight_smile: Thanks for tip.I wase just guessing for tdl3 because
on our home forum had a similar case. I know how the MBR works.
Naw I see what is going on in diagnostic tools/logs. :smiley:

10

heres the log link:

http://www.speedyshare.com/files/26399470/virusinfo_syscheck.zip

and the other is attached,

many thanks

Jamie

11

1.)
Open notepad and copy/paste the text present inside the code box below:


KillAll::

File::
c:\windows\system32\drivers\vdi3ndu1.sys

DirLook::
c:\documents and settings\All Users\Application Data\~0

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

Save this as CFScript.

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.
Drag CFScript.txt into Combofix.exe. ComboFix will re-run.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run. When finished, it will produce a log for you.
Copy/paste the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )


2.)

Download MBR Rootkit Detector from this link to root directory C:

http://www2.gmer.net/mbr/mbr.exe

Start >> Run,

cmd.exe

Ok

It will open the console.

  • Type the [b]cd[/b] and hit Enter in order to attract the root directory
    (the console will display the path C: > _).

  • Type the mbr.exe -f and press the Enter
    Note the space between the “mbr.exe” and the “-f” , it must be there.

Finally, in the console type in exit and press Enter.

Restart your computer

Open root directory and copy/paste mbr.txt log ( C:[b]mbr.txt[/b] )

12

ok as requested the logs are attached sorry I couldn’t copy and paste them. they exceed the length of allowed message.

Thanks,

Jamie

13

Follow the instructions here. http://support.kaspersky.com/viruses/solutions?qid=208280748

14

@ Jibbyreznor
No need to download/run TDSSKiller because your logs are now clean and there is no traces of malware.
You did not even have this type of Malware.

Rootkit that was installed on the system are removed. PC look clean naw.
Tell me how your computer running now?

-Run DDS and copy/paste me fresh DDS.txt log.

15

TDSSKiller can also clean some types of sinowal,not only tdss

16

hey guys. i did what you both said, I ran TDSS and it found it and killed it :slight_smile: thanks very much for you help, much appreciated :),

Thanks again

Jamie

17

You are welcome.Feel free to post again if u have any issues

18

I have this exact same problem. what should I do??

Threat: SINOWAL@mbr[RTK]
avast found it but can’t do anything about it.

I attached “dds” and “attach”

19

You should start a new topic that is yours, bc helping several people in the same tread will only create chaos

you will find the “NEW TOPIC” button in top right corner, just above the orange line here http://forum.avast.com/index.php?board=4.0