Avast WEBforum
Other => Viruses and worms => Topic started by: serkam on March 31, 2011, 03:12:15 PM
-
Hi
I used aswMBR as stated in other topic, apparently it removed the rootkit, as shown in the log attached, but, after reboot, Avast complains that the kit is still present:
MBR:\\.\PHYSICALDRIVE0
(remove)
\\.\PHYSICALDRIVE0 MBR: TDL4
(remove)
I already did a full scan at boot ( took all night ) using the actual Avast Free version (6.0.1000) and with Malwarebyte's anti-malware.
What can I do now to remove this rootkit, please?
-
what button did you click "FIX MBR" or "FIX" ?
do a new scan, click "save log" and post it here
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )
Essexboy will check the log(s) when he arrive later today
-
Hi Pondus
I clicked FIX, because the button FIXMBR was greyed. I attached the image and the log.
Thanks
-
Could you post a fresh aswMBR log please along with the OTS
-
Hi Essexboy
Follows the logs you requested.
Rootkit still alive.
Best Regards
-
Do you have on your desktop a file called MBR.dat ?
We will use TDSSKiller for now, I would also like an OTS log as well in case there is a respawner on your system
Please read carefully and follow these steps.
- Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
- If an infected file is detected, the default action will be Cure, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png)
- If a suspicious file is detected, the default action will be Skip, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png)
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png)
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop and double-click on it to run it
- Make sure you close all other programs and don't use the PC while the scan runs.
- Select All Users
- Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
- Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
- When the scan is complete Notepad will open with the report file loaded in it.
- Please attach the log in your next post.
-
Hi Essexboy
Good afternoon.
It worked!!!
Avast doesn't complain about rootkit anymore. At least, until now.
I can't upload both logs, so I will upload the TDSSKiller log first, and in next reply the OTS log, ok?
Good work.
Have a nice weekend.
-
OTS log file is larger than the maximum limit of this forum.
If you need it, I'll break into 2 parts, ok?
Thanks.
-
- You can use a file sharing site such as Mediafire.com - Upload to http://www.mediafire.com/ and post the sharing link.
-
The reason the log is to large is because it is saved in unicode, could you resave it as ANSI and then it will fit
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Untitled.gif)