Avast having issues with MBR Malware/Rootkit Infection

[coolsilver]

Hello,

I've seen over the past two weeks machines that exhibit behavior with a malware rootkit infection. I have scanned these machines with Avast as well as Malwarebytes. Both seem oblivious to these infections at least until they use the network connection.

From what I have seen the PC is clean according to a full scan on high settings. I can not go to windows update site it is blocked. I get popups from Internet Explorer from sites. Some of these sites cause Avast to popup saying malware is blocked from loading.

So I load GMER. It finds it in the MBR. I do a FIXMBR on the system, rescan. Windows update site works. There are no more popups.


My question is... Why doesn't avast have the ability to scan the MBR and alert the user better? I realize since it is in the MBR it loads directly in the memory. The kernel has little access to it because it is allocated memory. Avast has little chance to remove the running infection but can at least see the MBR.

Once the MBR is cleaned, PC powered completely down so the memory is cleared the threat is gone unless windows itself has some rootkit hooks to reload it which Avast should detect anyway.



Just wondering. Hope to see something good in 5.1 when it comes around.

[coolsilver]

Ok.

Well I am sure as these threats become more common my customers whom I recommend Avast to will be able to worry less. I know Avast will protect them. 

[coolsilver]

After many scans with Avast, Malwarebytes, Trend Micro, Hitman Pro, and other malware fixers like combo fix. The system is clean however TDSSKiller shows MBR infection still. F-Secure is the only program that actually found any files as part of the infection.

I see multiple threads about these, I thought maybe we could have a discussion to maybe help avast on what is the most common traits with these new malware threats.

[Dwarden]

i hope you sending the found files to Avast! team for analysis ...

[coolsilver]

The only file I have found... no I haven't. My associate has since been working on the latest system. The rest resides in the MBR. Unless I can back that up somehow and forward it doesn't seem to need any windows dlls or other hooks other than to load. Disk.sys is clean and same with any other files that have been common with TDSS.TLD4

At this point the customer wants his system back, clean and working as before.

[SafeSurf]

coolsilver,

Are you looking for malware removal help?  If so, check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions for obtaining the OTL logs.  Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).  After reviewing them, I can then refer you to one of our malware experts.  Thank you.

[-Genesis-]

Dealing with MBR you should not remove even detected by AV's, antimalware or other powerful tools because it can mess up and your OS would not start.

I would suggest an expert helper would guide you.

[coolsilver]

It's been resolved. After many hours my associate has the system clean.

The customer is happy after nearly a week removing these threats.

We see these threats commonly as I am employed by a repair shop. This last one seemed to get by most scanners.

If I can get more information from the other techs here I will forward it on.

[DavidCo]

I have just had a wonderful time cleaning a PC (daughters) that had TDSS.TLD4
Avast boot time did not see it nor MBAM, both up to date. Cannot expect 100% all of the time.
It was interesting to note that MBAM did not find any registry entries
TDSSKiller was the only thing that would find and get rid of it, but you must choose quarantine not cure. You may have to run TDSSKiller a couple of time to get the reboot signal that you need
Then run Stinger

There were many oddities about this infection
It would not allow a visit to any Anti-Virus/malware site but redirected to a fake
But it did not give the game away by stopping any updates

Very nasty
 

[SafeSurf]

@ coolsilver,

Browse through the Virus and Worms section of this forum, and take a look at posts by Essexboy, who is our Certified Malware Expert (he also has a sticky in this part of the forum).

If you feel that your issue is now resolved/fixed, please go back to the first open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed. 

Feel free to come back any time you need help, to learn something new, or just to ask questions.  We are here 24/7 for your convenience.  Thank you.

[coolsilver]

My question is... Why doesn't avast have the ability to scan the MBR and alert the user better?

Just wondering.

I didn't come for help. If I did it would have been in the appropriate forum.

I came here to see if anyone else had noticed the same thing.

While I did have a system with a problem, I wasn't looking for a way to solve it.

Between F-Secure safe mode scans and a few others it was cleared.

Thank you anyway. I will remember to email VLK directly when having questions about how Avast handles malware.

Someone may lock this thread now my question has been answered.

[SafeSurf]

In the future, you may want to look in the Support section for security updates and the Virus and Worms section as there has been news recently of Win7 and Vista malware variants that are difficult to remove and the troubleshooting procedures that has been done by our Certified Malware Expert, Essexboy.  So emailing Vlk would not be my suggestion.  You can see these cases, of which we have several now, in the forum.

Only you can close the thread you opened.  To do this:  please go back to the first open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed.  Thank you.