Author Topic: aswMBR says that removed the rootkit, but in fact didn't  (Read 5082 times)

Offline serkam

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
aswMBR says that removed the rootkit, but in fact didn't
« on: March 31, 2011, 01:12:15 PM »
Hi

I used aswMBR as stated in other topic, apparently it removed the rootkit, as shown in the log attached, but, after reboot, Avast complains that the kit is still present:

MBR:\\.\PHYSICALDRIVE0
(remove)

\\.\PHYSICALDRIVE0 MBR: TDL4
(remove)

I already did a full scan at boot ( took all night ) using the actual Avast Free version (6.0.1000) and with Malwarebyte's anti-malware.

What can I do now to remove this rootkit, please?


Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21649
  • Gender: Male
    • Personal Message (Offline)
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #1 on: March 31, 2011, 03:19:24 PM »
what button did you click  "FIX MBR"  or  "FIX"  ?
do a new scan, click "save log" and post it here


Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )


Essexboy will check the log(s) when he arrive later today


Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline serkam

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #2 on: March 31, 2011, 03:28:23 PM »
Hi Pondus

I clicked FIX, because the button FIXMBR was greyed. I attached the image and the log.


Thanks

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28931
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #3 on: March 31, 2011, 05:25:36 PM »
Could you post a fresh aswMBR log please along with the OTS

Offline serkam

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #4 on: April 01, 2011, 06:30:58 PM »
Hi Essexboy

Follows the logs you requested.

Rootkit still alive.

Best Regards

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28931
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #5 on: April 01, 2011, 06:49:08 PM »
Do you have on your desktop a file called MBR.dat ?

We will use TDSSKiller for now, I would also like an OTS log as well in case there is a respawner on your system 

Please read carefully and follow these steps. 
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
     
     

     
     
  • If an infected file is detected, the default action will be Cure, click on Continue.
     
     

     
     
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
     
     

     
     
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
     
     

     
     
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Download OTS to your Desktop and double-click on it to run it
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Select All Users
  • Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check


  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please attach the log in your next post.

Offline serkam

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #6 on: April 01, 2011, 07:51:25 PM »
Hi Essexboy

Good afternoon.

It worked!!!

Avast doesn't complain about rootkit anymore. At least, until now.

I can't upload both logs, so I will upload the TDSSKiller log first, and in next reply the OTS log, ok?

Good work.

Have a nice weekend.
« Last Edit: April 01, 2011, 07:55:53 PM by serkam »

Offline serkam

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #7 on: April 01, 2011, 07:54:16 PM »
OTS log file is larger than the maximum limit of this forum.

If you need it, I'll break into 2 parts, ok?

Thanks.

Online DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Online)
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #8 on: April 01, 2011, 08:04:09 PM »
- You can use a file sharing site such as Mediafire.com - Upload to http://www.mediafire.com/ and post the sharing link.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28931
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #9 on: April 01, 2011, 10:07:31 PM »
The reason the log is to large is because it is saved in unicode, could you resave it as ANSI and then it will fit


 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now