Author Topic: Rootkit: hidden boot sector (Read 35608 times)

Arif92 · « **on:** February 04, 2011, 01:03:09 PM »

Hi, I'm new user of avast. Once i perform my full scan, 1 virus detected its rootkit 'hidden boot sector'. I've tried to delete it, but its still not deleted. That virus already boot my system a lot of times. I really need your on how to remove it.
I hope someone can help me by giving full instruction on how to remove it, because i'm not really expert in computer.
Lastly, I hope someone can help me now, because this Feb 6 i'm going to go to one place that have very poor internet connection.
Sorry for my English. Thank you.

Pondus · « **Reply #1 on:** February 04, 2011, 01:07:41 PM »

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt. / Extras.Txt / Malwarebytes scan log )

Essexboy will be notified when you have posted the log`s here....
He is usually in here 8:00pm - 11:59pm uk time

essexboy · « **Reply #2 on:** February 04, 2011, 08:47:24 PM »

Hi there lets cut straight to the chase, two programmes for you to run. Could you run in the order posted please, as we are working on an Avast tool to clean this and any data we can gain would be usefull

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it, place a tick in the Trace disc IO calls box

Click the "Scan" button to start scan

Click the "Fix" in case of infection

Save the aswMBR.log to the desktop

THEN

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

milopitta · « **Reply #3 on:** February 10, 2011, 01:59:13 AM »

Hi! I am also new user of avast and i had exactly the same problem with
'hidden boot sector'. I did what you said. Downloaded aswMBR and everything.
Virus detected and fixed.
Then TDSSkiller, but with that was no virus detected.
Then i run a scan with avast and the hidden boot sector was vanished!!!!
Thank you very very much. This had caused problems at my computer!
I ve not understood exactly what i should copy paste and were. If it will help
tell me what i should send you. thanks again!!!

Pedro Hin · « **Reply #4 on:** February 10, 2011, 03:33:59 AM »

Quote from: essexboy on February 04, 2011, 08:47:24 PM

Hi there lets cut straight to the chase, two programmes for you to run. Could you run in the order posted please, as we are working on an Avast tool to clean this and any data we can gain would be usefull

Download aswMBR.exe ( 511KB ) to your desktop.

Thank you for this. MBR infections have grown so much in recent weeks (or are you just finding them better?)

essexboy · « **Reply #5 on:** February 10, 2011, 08:45:09 PM »

They have been around for a while, but it appears that they are now getting cheaper to buy

Avast-s · « **Reply #6 on:** February 14, 2011, 03:07:47 PM »

i found this what mean

essexboy · « **Reply #7 on:** February 14, 2011, 06:49:11 PM »

Looks like the TDL3 variant

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Adambrix · « **Reply #8 on:** March 01, 2011, 01:22:24 PM »

Hi Folks, Seems I have a similar problem, please find the logs attached. I tried tdsskiller but it didn't work. aswMBR only comes up with the option to fixMBR which is followed by a warning that it could alter my system so not sure what to do now? Any help greatly appreciated.

essexboy · « **Reply #9 on:** March 01, 2011, 07:47:30 PM »

Could you download the lates version of aswMBR please and scan - this time the fix button should be available, if so press that one and not Fixmbr

Also could you zip the file called mbr.dat on your desktop and e-mail it to me please

If for some reason aswMBR does not offer the fix option

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Adambrix · « **Reply #10 on:** March 02, 2011, 11:39:24 AM »

Hi Essexboy, thanks for the reply. Bit of confusion, aswMBR does have just a fix button but it is greyed out even after the scan (version0.9.3) Have tried using tdsskiller bit the rootkit is still showing, even after reboot.Your e-mail address is hidden so not sure where to send DAT file? Cheers.Adam

essexboy · « **Reply #11 on:** March 02, 2011, 07:30:22 PM »

Could you attach the TDSSKiller log please so that I can see what variant it is, also the ASWMbr log

Right click the dat file and scan with Avast - which should add it to the chest. Then from within the virus chest right click and select upload to virus labs

Adambrix · « **Reply #12 on:** March 02, 2011, 07:34:55 PM »

Here you go dude. Will follow your other instructions.

essexboy · « **Reply #13 on:** March 02, 2011, 07:38:23 PM »

Could you rerun ASWmbr please and - not press any buttons just post the log generated

Adambrix · « **Reply #14 on:** March 02, 2011, 08:08:16 PM »

This ok?

Author Topic: Rootkit: hidden boot sector (Read 35608 times)

Arif92

Rootkit: hidden boot sector

Pondus

Re: Rootkit: hidden boot sector

essexboy

Re: Rootkit: hidden boot sector

milopitta

Re: Rootkit: hidden boot sector

Pedro Hin

Re: Rootkit: hidden boot sector

essexboy

Re: Rootkit: hidden boot sector

Avast-s

Re: Rootkit: hidden boot sector

essexboy

Re: Rootkit: hidden boot sector

Adambrix

Re: Rootkit: hidden boot sector

essexboy

Re: Rootkit: hidden boot sector

Adambrix

Re: Rootkit: hidden boot sector

essexboy

Re: Rootkit: hidden boot sector

Adambrix

Re: Rootkit: hidden boot sector

essexboy

Re: Rootkit: hidden boot sector

Adambrix

Re: Rootkit: hidden boot sector