OK,...we ran TDSSKiller. Two Threats were detected as follows:
1. Rootkit.Boot.Pihar.b
Physical drive: \Device\Harddisk0\DR0
Malware object, high risk.
2. TDSS File System
Physical drive: \Device\Harddisk0\DR0
Suspicious object, medium risk.
It was necessary to reboot. Screen info was as follows [NOTE: While we were writing this down, a pop-up cam up - NORTON HAS BLOCKED THREATS.]
Processed 466 Objects, details
Found: 2 threats
Neutralized: 1 threat
Quarantined: 14 objects.
When we clicked on "reboot", the hp logo came on and disappeared (the way it's supposed to).
The log that was generated from TDSSKiller is pretty big - not having done this before, can I just attach the log's text document? JUST FYI - We were going to copy & paste it, but when we were copying it, a Malwarebytes pop-up appeared w/ the following message: "MALWAREBYTES HAS DETECTED A MALICIOUS PROCESS ATTEMPTING TO START AND HAS BLOCKED THE EXECUTION ATTEMPT. PLEASE SELECT AN OPTION BELOW (DISABLE PROTECTION; IGNORE; OR QUARANTINE). The thing it blocked was C:\WINDOWS\SVCHOST.EXE TROJAN.AGENT. Do we have to run TDSSKiller again,...then aswMBR again? Not knowing what to do and not being able to go any further w/o selecting one of the actions, we just picked QUARANTINE.
We then ran aswMBR as instructed. It looks like it detected/found 4 files that were infected. Here's the log:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-27 22:22:57
-----------------------------
22:22:57.915 OS Version: Windows x64 6.1.7601 Service Pack 1
22:22:57.915 Number of processors: 4 586 0x2505
22:22:57.915 ComputerName: LEGITIMENT UserName:
22:23:00.364 Initialize success
22:24:07.111 AVAST engine defs: 12032702
22:24:43.350 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:24:43.350 Disk 0 Vendor: ST950042 0006 Size: 476940MB BusType: 3
22:24:43.365 Disk 0 MBR read successfully
22:24:43.365 Disk 0 MBR scan
22:24:43.365 Disk 0 unknown MBR code
22:24:43.381 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
22:24:43.397 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 452408 MB offset 409600
22:24:43.428 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 24228 MB offset 926941184
22:24:43.459 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 976560128
22:24:43.506 Disk 0 scanning C:\Windows\system32\drivers
22:24:55.955 Service scanning
22:25:24.066 Modules scanning
22:25:24.066 Disk 0 trace - called modules:
22:25:24.596 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys hal.dll
22:25:24.612 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800528d790]
22:25:24.612 3 CLASSPNP.SYS[fffff88001a5143f] -> nt!IofCallDriver -> [0xfffffa800512cb10]
22:25:24.627 5 hpdskflt.sys[fffff88001dc7289] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004f8e050]
22:25:26.453 AVAST engine scan C:\Windows
22:25:29.183 AVAST engine scan C:\Windows\system32
22:29:09.393 AVAST engine scan C:\Windows\system32\drivers
22:29:31.981 AVAST engine scan C:\Users\Sascomander
22:31:36.282 File: C:\Users\Sascomander\AppData\Local\Temp\_av4_\data\aswar0.dll **INFECTED** Win32:Malware-gen
22:31:36.782 File: C:\Users\Sascomander\AppData\Local\Temp\_av4_\data\updldr0.bin **INFECTED** Win32:Malware-gen
22:34:35.480 AVAST engine scan C:\ProgramData
22:36:08.456 File: C:\ProgramData\Microsoft\Windows\DRM\EDF9.tmp **INFECTED** Win32:Malware-gen
22:36:08.503 File: C:\ProgramData\Microsoft\Windows\DRM\EDFA.tmp **INFECTED** Win32:Malware-gen
22:38:46.968 Scan finished successfully
22:41:17.087 Disk 0 MBR has been saved successfully to "C:\Users\Sascomander\Desktop\MBR.dat"
22:41:17.103 The log file has been saved successfully to "C:\Users\Sascomander\Desktop\aswMBR.txt"
Thanks again for all your help.
