02-15-2012 06:30 PM - edited 02-15-2012 06:32 PM
I didn't press "Fix" yet since you didn't say to. Should I fix the problems? It took a very long time to perform a complete scan (about 3 hours).
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-15 18:30:43
18:30:43.421 OS Version: Windows x64 6.1.7601 Service Pack 1
18:30:43.421 Number of processors: 8 586 0x1A05
18:30:43.421 ComputerName: REDBULLCORNHOLI UserName: XXXX
18:30:48.601 Initialize success
18:30:51.128 AVAST engine defs: 12021501
18:30:58.195 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:30:58.195 Disk 0 Vendor: ST3500320AS SD15 Size: 476940MB BusType: 3
18:30:58.195 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-3
18:30:58.195 Disk 1 Vendor: ST3320620AS 3.AAE Size: 305245MB BusType: 3
18:30:58.210 Disk 2 \Device\Harddisk2\DR2 -> \Device\Scsi\mv61xx1Port4Path0Target0Lun0
18:30:58.210 Disk 2 Vendor: Maxtor_6 Size: 156334MB BusType: 8
18:30:58.210 Device \Driver\atapi -> MajorFunction fffffa8006bf35c4
18:30:58.210 Disk 0 MBR read successfully
18:30:58.210 Disk 0 MBR scan
18:30:58.226 Disk 0 MBR: Pihar-C [Rtk]
18:30:58.226 Disk 0 TDL4@MBR code has been found
18:30:58.226 Disk 0 Windows 7 default MBR code found via API
18:30:58.226 Disk 0 MBR hidden
18:30:58.226 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
18:30:58.241 Disk 0 MBR [TDL4] **ROOTKIT**
18:30:58.241 Disk 0 trace - called modules:
18:30:58.241 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8006bf35c4]<<
18:30:58.241 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006600790]
18:30:58.257 3 CLASSPNP.SYS[fffff8800181743f] -> nt!IofCallDriver -> [0xfffffa80062fc4d0]
18:30:58.257 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800630d060]
18:30:58.257 \Driver\atapi[0xfffffa80065a2e70] -> IRP_MJ_CREATE -> 0xfffffa8006bf35c4
18:31:00.269 AVAST engine scan C:\Windows
18:31:21.158 AVAST engine scan C:\Windows\system32
18:38:48.192 AVAST engine scan C:\Windows\system32\drivers
18:39:44.633 AVAST engine scan C:\Users\XXXX
20:26:47.310 AVAST engine scan C:\ProgramData
20:46:35.111 Scan finished successfully
21:20:03.022 Disk 0 MBR has been saved successfully to "C:\Users\XXXX\Documents\MBR.dat"
21:20:03.038 The log file has been saved successfully to "C:\Users\XXXX\Documents\aswMBR 2-15-12.txt"
02-15-2012 09:03 PM - edited 02-15-2012 09:07 PM
U are infected with TDL4 rootkit...
How to fix
On completion of the scan
Click the [Fix] for TDL4 (MBRoot)
Download ComboFix from the any of the locations given in this website:
02-16-2012 04:34 AM
I fixed and rebooted. Performed another scan with aswMBR and showed that it was clean except it gave me the option to Fix MBR. Should I do this before doing the Combofix? I looked at the Web Threats and it has stopped. It seems aswMBR fixed the problem. Also, is there a way to run Combofix without uninstalling TM? I run Combofix in SafeMode since that is what the instructions require. In SafeMode, it appears TM is turned off because Windows is not showing that it's running. However, Combofix says it is. Whenever I continue with the Combofix scan, I have to re-install TM because it doesn't work after the scan.
Here is the log file for aswMBR:
aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-15 21:56:54
21:56:54.352 OS Version: Windows x64 6.1.7601 Service Pack 1
21:56:54.352 Number of processors: 8 586 0x1A05
21:56:54.352 ComputerName: REDBULLCORNHOLI UserName: XXXX
21:56:56.630 Initialize success 21:57:02.932 AVAST engine defs: 12021501
21:57:20.700 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
21:57:20.700 Disk 0 Vendor: ST3500320AS SD15 Size: 476940MB BusType: 3
21:57:20.700 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-7
21:57:20.700 Disk 1 Vendor: ST3320620AS 3.AAE Size: 305245MB BusType: 3
21:57:20.700 Disk 2 \Device\Harddisk2\DR2 -> \Device\Scsi\mv61xx1Port4Path0Target0Lun0
21:57:20.700 Disk 2 Vendor: Maxtor_6 Size: 156334MB BusType: 8
21:57:20.747 Disk 0 MBR read successfully
21:57:20.747 Disk 0 MBR scan
21:57:20.747 Disk 0 Windows 7 default MBR code
21:57:20.762 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
21:57:20.778 Service scanning
21:57:28.874 Modules scanning 21:57:28.874 Disk 0 trace - called modules:
21:57:29.389 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys 21:57:29.405 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80065ff790]
21:57:29.405 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa8006314520]
21:57:29.405 5 ACPI.sys[fffff88000fa67a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800630e060]
21:57:30.621 AVAST engine scan C:\Windows
21:57:36.315 AVAST engine scan C:\Windows\system32
22:03:48.672 AVAST engine scan C:\Windows\system32\drivers
22:04:26.269 AVAST engine scan C:\Users\XXXX
23:05:26.115 AVAST engine scan C:\ProgramData
23:15:24.532 Scan finished successfully
03:12:06.859 Disk 0 MBR has been saved successfully to "C:\Users\XXXX\Documents\MBR.dat"
03:12:06.906 The log file has been saved successfully to "C:\Users\XXXX\Documents\aswMBR 2-16-12.txt"
02-16-2012 04:35 AM - edited 02-16-2012 04:57 AM
Please run Combofix in safe mode bypass any warnings..attach the combofix log
aswmbr Log is fine now.No need to run it.
02-16-2012 09:02 AM
I am following this very closely, we have the same problem.
On the combo fix, the user emailed me and said it cleaned 100 items but for the remaining 3000 items we have to pay for it. DOes combofix cost money? let me know and thank you.
Also, how come Trend Micro can't remove this? Its a pain to pay all of this money to Trend for all of our cpus and they don't catch something that has been out there for this long.
02-16-2012 02:45 PM
I ran ComboFix again and attached the log file. It appears the problem has been fixed. Thanks malwarekiller for all of you help.
02-16-2012 08:14 PM - edited 02-16-2012 08:15 PM
Simply delete all tools we used.
subject to no further problems?
your computer is clean.
Now let me do some tune-ups.
Mark this topic as solved...use the options tab of your topic to do so.Select the reply which u think is the solution to your problem..and click on the options tab of that particular reply and select mark as solution.
For the first run I would recommend a boot defrag and disk check
Download and run Puran Disc Defragmenter
u may use this tool to keep junk temp files away:
Malwarebytes. Update and run it today also i recommend to run it weekly to keep your system clean
Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
To manually create a new Restore Point
Now we can purge the infected ones
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
02-16-2012 08:17 PM - edited 02-16-2012 08:22 PM
purdyra please make a seperate topic in malware discussion board and i will help u there.
02-17-2012 09:32 PM
Happy to help!