I run Windows XP and use Avast free edition as virus scanner. Two days ago I received a message saying that ‘File MBR 0 is infected by sinoval@mbr [Rtk]’. When scanned by Avast, the message Rootkit found appears, file name: MBR:\PHYSICALDRIVE0

A further message reads: ‘A suspicious hidden object (rootkit) has been detected on your system. This may be a sign of malware infection. It is recommended to remove the object immediately.’

On attempting removal, Avast would neither delete it nor move it to the chest. ‘Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible}’

I have started the computer in safe mode and tried to see if anything was picked up in task master, but without success. A scan using SUPERAnti Spyware did not pick up the problem.

I would be very grateful for your help please.

You need our expert malware remover for this one…

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt. / Extras.Txt. / Malwarebytes scan log. )

Thank you Pondus. I ran MBAM and the log is below. I will now go to the next (Post an OTL Log step). (The warning from Avast still pops up I might add.)

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5587

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

24/01/2011 10:05:45
mbam-log-2011-01-24 (10-05-45).txt

Scan type: Quick scan
Objects scanned: 143179
Time elapsed: 8 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I will notifie Essexboy when you have posted the log`s

He is usually in here from 8:00pm to 11:59pm UK time

Here is the OTL log as an attachment. Apologies for sending the MBAM in the body of the previous reply.

No problem, as the MBAM log is usually small

Many thanks Pondus, much appreciated. I shall look out for a post from Essexboy later.

Hi - first I must mention that AVG 7.5 antispyware is still running on your system. I will need to remove that before I can run combofix

We need to temporarily remove your Anti-Virus, as it interes with the fix I want to run. You can reinstall it again later. If you are not happy about doing this, please let me know before proceding

Download AppRemover and run it.

Click Next >>

http://www.hdrcgb.org.uk/g2g/appremover1.jpg

Ensure “Remove Security Application” is collected and click Next >>

http://www.hdrcgb.org.uk/g2g/appremover2.jpg

AppRemover will scan all the security applications on your PC

http://www.hdrcgb.org.uk/g2g/appremover3.jpg

Select Any AVG entries from the applications offered and click Next >> twice.

http://www.hdrcgb.org.uk/g2g/appremover4.jpg

Follow any further on-screen instructions. If asked to reboot,please do so.
.
THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thank you. But is it just AVG 7.5 that should be removed. I use this manually. My main virus scanner is Avast. I have downloaded and run AppRemover and checked all the boxes for protection remover. Is this right? I better check before proceeding to your next step.

Avg 7.5 is so old now that it is not really worth the disc space. I will give you a better programme in a bit ;D

Thanks. I attach the log from ComboFix.

Hmm indications of help assist there, I will close the relevant ports

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

MBR::

Registry::
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“65533:TCP”=-
“52344:TCP”=-
“6468:TCP”=-
“6467:TCP”=-
“3389:TCP”=-
“5312:TCP”=-
“9124:TCP”=-
“6392:TCP”=-
“6393:TCP”=-
“9917:TCP”=-
“9916:TCP”=-
“4414:TCP”=-
“7328:TCP”=-
“2992:TCP”=-
“4484:TCP”=-
“3314:TCP”=-
“5128:TCP”=-
“7966:TCP”=-
“7967:TCP”=-
“7195:TCP”=-
“7196:TCP”=-

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt [*]A new OTListit log.

.
THEN

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Here is the log of what I got from the latest ComboFix run. There was just the one as far as I can see - I did not seem to get a new OTListit.log. I was not asked to reboot. I’ll now continue with HelpAsst…

Once done with helpassist can you let me now what problems you are experiencing

And here is the helpassist log (attached). There was indeed an mbr infection detected. No obvious other problems, but I have not reinstalled Avast. Should I do so now?

Yes reinstall avast and see if it still reports - if it does we will go for a manual fix

No adverse message about the malware has appeared since I have downloaded Avast. But I’ll clearly keep an eye open for any messages. (For some strange reason I can’t seem to register Avast it even when I click the ‘Register’ button. It says registration is at today’s date and time, but the message tells me I am not registered.)

You kindly mentioned that you would supply a program in place of the outdated AVG 7.5, which I use for manual scanning so it does not interfere with Avast virus scan.

I am immensely grateful for your trouble and expertise. Thank you.

And here it is ;D Dependant on what this reports I will tidy up and remove my tools

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Many thanks. I am away from the compromised computer for a few days, but will do the download as soon as possible as I am keen to increase protection after this experience, as you might imagine. I trust that is satisfactory and does not cause you trouble.

I might add that I scanned my USB 8GB memory stick this morning with Avast and found “Threat F:FirefoxPortabe\o.dat. Win 32 sinoval - HO [trj]”. It would not repair or remove to chest. I am not sure which way the infection went, from computer to stick or vice versa. I have not used the stick since needless to say. However, if it can be repaired without reinfecting a computer that would be good - I do have quite a bit of data on it.

For the USB drive try this - no problems on time as I am subscribed to this thread ;D

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

[*] Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
[] The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
[] Wait until it has finished scanning and then exit the program.
[*] Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don’t delete this folder…it will help protect your drives from future infection.