Hi im having trouble with a rootkit. avast detects sinowal. Ive run malwarebytes and avast and they removed most rootkits but that sinowal is still left in the mbr 0. It says file infected mbr 0 sinowal.
Ive figured that i have to run mbr fix somehow would be really glad if someone could help me out…
we can try
ok, here it is…
14:58:43.781 OS Version: Windows 5.1.2600 Service Pack 3
14:58:43.781 Number of processors: 2 586 0xE08
14:58:43.781 ComputerName: EDUAROLI-B393CF UserName: Eduarolito
14:58:44.937 Initialize success
14:58:48.328 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
14:58:48.328 Disk 0 Vendor: TOSHIBA_MK6008GAH BU022C Size: 57231MB BusType: 3
14:58:48.328 Disk 0 MBR read error
14:58:48.328 Disk 0 MBR scan
14:58:48.328 MBR BIOS signature not found 0
14:58:48.343 Disk 0 scanning sectors +117195120
14:58:48.343 Disk 0 scanning C:\WINDOWS\system32\drivers
14:59:11.140 Service scanning
14:59:12.734 Disk 0 trace - called modules:
14:59:12.734 ntkrnlpa.exe >>UNKNOWN [0x865d30e8]<<
14:59:12.734 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86524ab8]
14:59:12.734 \Driver\Disk[0x86526a08] → IRP_MJ_CREATE → 0x865d30e8
14:59:12.734 Scan finished successfully
hmmmm…that looks clean ?
Run Kaspersky TDSSKiller, follow the instructions and post the log
http://support.kaspersky.com/faq/?qid=208283363
Uh, well, you tell me…hehe.
Thing is avast still detects sinowal @ mbr 0 everytime i boot-scan…
Ill try tdskiller then…
Ok it found 3 viruses, one of them sinowal! It said it could “cure” it, but i pressed “skip” on the other two… i guess i should run it again and delete the other two?
2011/04/04 15:16:33.0515 6228 ================================================================================
2011/04/04 15:16:33.0515 6228 Scan finished
2011/04/04 15:16:33.0515 6228 ================================================================================
2011/04/04 15:16:33.0515 2408 Detected object count: 3
2011/04/04 15:17:26.0375 2408 Locked file(dtscsi) - User select action: Skip
2011/04/04 15:17:26.0375 2408 Locked file(sptd) - User select action: Skip
2011/04/04 15:17:26.0453 2408 \HardDisk0 (Backdoor.Win32.Sinowal.knf) - will be cured after reboot
2011/04/04 15:17:26.0453 2408 \HardDisk0 - ok
2011/04/04 15:17:26.0453 2408 Backdoor.Win32.Sinowal.knf(\HardDisk0) - User select action: Cure
yepp and reboot
when done continue with this
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )
OBS: Save OTS log as ANSI and not UNICODE
that also goes for TDSSKiller log
Essexboy will then check the log`s when he arrive here later, and tell us what we did wrong ;D
he will be here in about 4-5 hours