Author Topic: Avast doesn't detect win32/mebroot.h trojan  (Read 11448 times)

0 Members and 1 Guest are viewing this topic.

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: Avast doesn't detect win32/mebroot.h trojan
« Reply #15 on: July 15, 2008, 09:54:24 AM »
meck: what is your Avast version number?

meck

  • Guest
Re: Avast doesn't detect win32/mebroot.h trojan
« Reply #16 on: July 15, 2008, 09:56:06 AM »
Maxx_original: 4.8.1201

leemar

  • Guest
Re: Avast doesn't detect win32/mebroot.h trojan
« Reply #17 on: July 15, 2008, 10:18:48 AM »
avast is not using heuristic analysis. it uses it definition database for both on demand scanner and resident scanner. so the file detected is same match in their definition.


Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Avast doesn't detect win32/mebroot.h trojan
« Reply #18 on: July 15, 2008, 11:24:11 AM »
meck: the MBR itself seems to be clean (at least according to the mbr.exe output you posted).
Sector 0x12a14c00  may contain some shyte but it shouldn't get activated.

Seems like somebody already tried to disinfect the MBR rootkit, and wasn't quite thorough...

Anyway, are you saying the system doesn't boot?
Also, what does this have to do with a pen drive? ???

Cheers
Vlk
If at first you don't succeed, then skydiving's not for you.

meck

  • Guest
Re: Avast doesn't detect win32/mebroot.h trojan
« Reply #19 on: July 15, 2008, 11:50:15 AM »
meck: the MBR itself seems to be clean (at least according to the mbr.exe output you posted).
Sector 0x12a14c00  may contain some shyte but it shouldn't get activated.

Seems like somebody already tried to disinfect the MBR rootkit, and wasn't quite thorough...

Anyway, are you saying the system doesn't boot?
The system boots. :)

Quote
Also, what does this have to do with a pen drive? ???

Cheers
Vlk

Because I used the pendrive in a other PC with different Antivirus (nod 32), when i plugged in pc it appeared the warning message:

Code: [Select]
11/07/2008 10:15:30 Startup scanner boot sector MBR sector of the 1. physical disk Win32/Mebroot.H trojan error while cleaning - operation unavailable for this object type

Where 1. physical disk was my pendrive. :/

Thanks \o
« Last Edit: July 15, 2008, 11:53:26 AM by meck »

wyrmrider

  • Guest
Re: Avast doesn't detect win32/mebroot.h trojan
« Reply #20 on: July 15, 2008, 04:24:26 PM »
leemar  thanks for the input
however
we were discussing the Virus Total results where many of the other AV's DO use heuristics

Meck
VLK has joined the discussion Monday as predicted
let him solve this

I can remember when we used Norton Utilities to edit these things...
bot suggesting this though

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Avast doesn't detect win32/mebroot.h trojan
« Reply #21 on: July 15, 2008, 05:24:58 PM »
meck, so you're not talking about the MBR of your hard drive being infected, you're talking just about the MBR of the pendrive?

Do I understand it correctly?
If at first you don't succeed, then skydiving's not for you.

meck

  • Guest
Re: Avast doesn't detect win32/mebroot.h trojan
« Reply #22 on: July 15, 2008, 05:52:20 PM »
 First all, Vlk, i saw the warning message of nod 32 with the pendrive.  Then, i searched a solution. I found that using mbr.exe fixed it but just scanned the Hard Disk. Using mbr.exe the result was:


Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

malicious code @ sector 0x12a14c00 size 0x194 !



I am talking about the mbr of my hard drive, vlk. Apperentely, the pendrive MBR is ok, I just formatted it. :o
« Last Edit: July 15, 2008, 05:57:57 PM by meck »