Avast doesn't detect win32/mebroot.h trojan

[meck]

Hi all,
  i used my pendrive in a pc with other antivirus and this detected win32/mebroot.h trojan. Is a MBR trojan (?). Why did not avast detect it?

 Thanks \o

[Lisandro]

Difficult to say... but is it detected within a file or just the MBR?
Maybe you haven't a file to send to avast for analysis...

[meck]

Hi Tech,

Just MBR.

Reading others forums i saw a possible solution using mbr.exe from http://www.gmer.net. But in my computer doesn't work. Could i send a file using mbr.exe?

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x12a14c00 size 0x194 !

Thanks \o

[meck]

Hi, i am going to reinstall windows.

Thanks \o

[Lisandro]

Could i send a file using mbr.exe?

GMER now belongs to Alwil as the same as avast.
I don't think mbr.exe will send/collect any information.

Hi, i am going to reinstall windows.

There are some ways to fix mbr before reinstalling Windows...

[meck]

Could i send a file using mbr.exe?

GMER now belongs to Alwil as the same as avast.
I don't think mbr.exe will send/collect any information.

Hi, i am going to reinstall windows.

There are some ways to fix mbr before reinstalling Windows...

 

Well how can i do that?, I have used fixmbr from "recuperation console" Recovery Console,  but mbr.exe shows the same message:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x12a14c00 size 0x194 !

[Lisandro]

Well how can i do that?, I have used fixmbr from "recuperation console"

One way to do so. Even following this way can't you boot?
Why do you think that now your MBR is corrupt?

[meck]

Because mbr.exe is showing the message: malicious code @ sector 0x12a14c00 size 0x194 !

\o

[wyrmrider]

google gives some interesting threads on your hits

http://www.wilderssecurity.com/archive/index.php/t-211133.html

[meck]

Using gmer.exe (mbr.exe) version 1.0 copied these sector to a file and when was writing it, Avast antivirus detected it like Win32:MBRoot-B [Rtk] !!


Thanks wyrmrider \o

[meck]

I am going to use fixboot like say at http://www.wilderssecurity.com/archive/index.php/t-211133.html

Not works!, The bad bug doesn't want to go..

[wyrmrider]

there is a boot fix on the ANTIVIR website under "programs"
no idea if it is any different
did you try a "scan on boot" option with Avast?
perhaps someone with experience with this baddie will show up Monday
did you get the file copied?
if so submit to "Virus Total" and to Avast

[meck]

Here scanning with VirusTotal.

http://www.virustotal.com/en/analisis/223a5f1a6ff39449f1095aebb695c0b7

[wyrmrider]

someone much older and wiser than I may have an answer coming
but the next thing I would do would be to post in the Virus and Worms Forum- scroll down
give a link to this thread
you might ask that since this is a trojan if you should be in a antimalware forum

Sunbelt found it
so a download and scan with Counterspy free try and a post in the sunbelt forum might work if nothing else pops up here
also Trojan Hunter is worth a shot
A-squared but watch for FP's on ALL of these

A lot of scanners like DrWeb and Kaspersky which is usually good with trojans did  not give hits
IS there still a DOS boot scanner around
AVG used to have one
puts thinking cap on

I am concerned about the .gen which usually means a heuristic hit and not a proven positive
wadda you think?

[meck]

Ooops, sorry :/