Author Topic: Win32:MBRoot  (Read 8158 times)

0 Members and 1 Guest are viewing this topic.

Stable

  • Guest
Win32:MBRoot
« on: February 22, 2011, 12:26:19 AM »
Hi, I've got a message from avast saying that it has detected a rootkit with a heuristic method, saying "\\.\physicaldrive0 MBR:Win32:MBRoot".

The delete option doesn't seem to work, nor does the boot time scan. I've also ran a Malwarebytes' anti-malware, which didn't find anything relevant (I attached the log anyway).

So I ran the OTL tool from this thread. I've attached the log. I had to run it more than once, because the first time I realised my comps date setting was wrong, and the extras file said it couldn't access several databases, but now I have no extras file. I hope that's not essential, don't know why it's stopped appearing.

Thanks in advance.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: Win32:MBRoot
« Reply #1 on: February 22, 2011, 12:31:03 AM »
Essexboy is notified...

you find him here tomorrow at 8:00pm - 11:59pm UK time
http://www.timeanddate.com/worldclock/

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:MBRoot
« Reply #2 on: February 22, 2011, 07:42:07 PM »
OK lets go for it  :D

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it


Click the "Scan" button to start scan


Click the "Fix" in case of infection


Save the aswMBR.log to the desktop and post in your next reply


THEN

Please read carefully and follow these steps. 
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
     
     

     
     
  • If an infected file is detected, the default action will be Cure, click on Continue.
     
     

     
     
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
     
     

     
     
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
     
     

     
     
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Stable

  • Guest
Re: Win32:MBRoot
« Reply #3 on: February 24, 2011, 06:19:22 PM »
Well, I've rebooted and the message hasn't popped up, so it seems to have been cleared. Thanks very much! I assume changing all my passwords now would be a good idea.

Reports attached.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:MBRoot
« Reply #4 on: February 24, 2011, 07:04:07 PM »
Excellent ASWMbr killed it first. 

Do you have any other problems ?

And yes it would be prudent to change passwords 

Stable

  • Guest
Re: Win32:MBRoot
« Reply #5 on: February 24, 2011, 08:24:30 PM »
Nope, that's me sorted.
Thanks again essexboy!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:MBRoot
« Reply #6 on: February 24, 2011, 08:33:44 PM »
OK just delete both files from your desktop and enjoy  ;D

luck33ro

  • Guest
Re: Win32:MBRoot
« Reply #7 on: April 11, 2011, 12:22:09 PM »
hi guys,

I just installed Commodo Time Machine and my Avast is reporting it like Win32:MBRroot u think is a false positive message? I deleted with ur instructions but i really want to keep that program in my system.
More interesting is that on my laptop Avast is not notofing me about this MBRoot and i have same aplication installed there !!!

What shel i do?  ???

Thanks

Lucian

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Win32:MBRoot
« Reply #8 on: April 11, 2011, 12:38:11 PM »
What shel i do?  ???

Open a new topic for your problem. ;)
Thanks,
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0