Avast WEBforum
Other => Viruses and worms => Topic started by: Stable on February 22, 2011, 12:26:19 AM
-
Hi, I've got a message from avast saying that it has detected a rootkit with a heuristic method, saying "\\.\physicaldrive0 MBR:Win32:MBRoot".
The delete option doesn't seem to work, nor does the boot time scan. I've also ran a Malwarebytes' anti-malware, which didn't find anything relevant (I attached the log anyway).
So I ran the OTL tool from this thread (http://forum.avast.com/index.php?topic=53253.0). I've attached the log. I had to run it more than once, because the first time I realised my comps date setting was wrong, and the extras file said it couldn't access several databases, but now I have no extras file. I hope that's not essential, don't know why it's stopped appearing.
Thanks in advance.
-
Essexboy is notified...
you find him here tomorrow at 8:00pm - 11:59pm UK time
http://www.timeanddate.com/worldclock/
-
OK lets go for it :D
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture.jpg)
Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2.png)
Click the "Fix" in case of infection
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR3.png)
Save the aswMBR.log to the desktop and post in your next reply
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR4.png)
THEN
Please read carefully and follow these steps.
- Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
- If an infected file is detected, the default action will be Cure, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png)
- If a suspicious file is detected, the default action will be Skip, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png)
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png)
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
-
Well, I've rebooted and the message hasn't popped up, so it seems to have been cleared. Thanks very much! I assume changing all my passwords now would be a good idea.
Reports attached.
-
Excellent ASWMbr killed it first.
Do you have any other problems ?
And yes it would be prudent to change passwords
-
Nope, that's me sorted.
Thanks again essexboy!
-
OK just delete both files from your desktop and enjoy ;D
-
hi guys,
I just installed Commodo Time Machine and my Avast is reporting it like Win32:MBRroot u think is a false positive message? I deleted with ur instructions but i really want to keep that program in my system.
More interesting is that on my laptop Avast is not notofing me about this MBRoot and i have same aplication installed there !!!
What shel i do? ???
Thanks
Lucian
-
What shel i do? ???
Open a new topic for your problem. ;)
Thanks,
asyn