Author Topic: Rootkit: hidden boot sector (Read 35576 times)

essexboy · « **Reply #30 on:** March 04, 2011, 06:59:10 PM »

Is Avast alerting on this as there are no indications at all of it on those logs

Adambrix · « **Reply #31 on:** March 04, 2011, 09:48:14 PM »

yes Avast is alerting and so is aswMBR when I run a scan?

essexboy · « **Reply #32 on:** March 04, 2011, 10:10:38 PM »

OK lets use MBRcheck on this, two runs for the second run select drive 6

Run MBRCheck.exe
Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Please push the 'Y' key and then press Enter
When program ask you Enter your choice: enter 2 and press the Enter key
Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
Enter 1 and press the Enter key.
The program will show Available MBR codes:, followed by a list of operating systems. Please enter [ 5] Windows 7, and then press Enter.
The program will prompt for confirmation. Type YES and press Enter (Must type the full word, YES). You will be informed if successfully wrote a new MBR code!
A text file will be saved to your desktop
Paste that report into your next post
Restart your PC.

Adambrix · « **Reply #33 on:** March 05, 2011, 12:28:23 PM »

Thanks, here you go.

essexboy · « **Reply #34 on:** March 05, 2011, 12:30:56 PM »

OK big question - having done that have the alerts ceased ?

Adambrix · « **Reply #35 on:** March 05, 2011, 01:56:18 PM »

Well nothing from Avast yet today, it's still showing in aswMBR though, see attached?

essexboy · « **Reply #36 on:** March 05, 2011, 02:03:47 PM »

Does MBRcheck still show it, and is that a bootable drive ?

Adambrix · « **Reply #37 on:** March 05, 2011, 03:14:28 PM »

See attached. I have a dual boot system so not sure which is drive 1 (windows 7 or xp) but I only really use windows 7 now anyway. I presume it's the windows 7 drive as i haven't used xp for ages??!!

essexboy · « **Reply #38 on:** March 05, 2011, 03:22:06 PM »

I have a feeling drive 1 may have been XP could you try to log on to that system please

Adambrix · « **Reply #39 on:** March 05, 2011, 04:11:02 PM »

Managed to log into xp fine.

essexboy · « **Reply #40 on:** March 05, 2011, 06:30:05 PM »

Did you also do drive 6 with MBRcheck ? as that may be what ASWMbr is picking up

Adambrix · « **Reply #41 on:** March 06, 2011, 12:24:44 PM »

No, should I?

Adambrix · « **Reply #42 on:** March 06, 2011, 12:48:01 PM »

I also just did a rootkit scan with Avast & it still says the threat is on physical drive 1!?

essexboy · « **Reply #43 on:** March 06, 2011, 01:16:14 PM »

And there is stilll no fix button ?

On your desktop should be an MBR.dat file could you scan that with Avast via the right click function
If it does not alert then could you add it to the virus chest and then upload to the virus labs

You can put my name in if you wish - I will ask GMER to look at this thread

essexboy · « **Reply #44 on:** March 06, 2011, 04:07:37 PM »

If there is no mbr.dat on the desktop could you run ASWMbr again please and save the log. As GMER would like to look at it

Then do you know how to upload it to Avasts FTP incoming ?

Author Topic: Rootkit: hidden boot sector (Read 35576 times)

essexboy

Re: Rootkit: hidden boot sector

Adambrix

Re: Rootkit: hidden boot sector

essexboy

Re: Rootkit: hidden boot sector

Adambrix

Re: Rootkit: hidden boot sector

essexboy

Re: Rootkit: hidden boot sector

Adambrix

Re: Rootkit: hidden boot sector

essexboy

Re: Rootkit: hidden boot sector

Adambrix

Re: Rootkit: hidden boot sector

essexboy

Re: Rootkit: hidden boot sector

Adambrix

Re: Rootkit: hidden boot sector

essexboy

Re: Rootkit: hidden boot sector

Adambrix

Re: Rootkit: hidden boot sector

Adambrix

Re: Rootkit: hidden boot sector

essexboy

Re: Rootkit: hidden boot sector

essexboy

Re: Rootkit: hidden boot sector