Author Topic: aswMBR says that removed the rootkit, but in fact didn't  (Read 5714 times)

0 Members and 1 Guest are viewing this topic.

Offline serkam

  • Newbie
  • *
  • Posts: 8
aswMBR says that removed the rootkit, but in fact didn't
« on: March 31, 2011, 03:12:15 PM »
Hi

I used aswMBR as stated in other topic, apparently it removed the rootkit, as shown in the log attached, but, after reboot, Avast complains that the kit is still present:

MBR:\\.\PHYSICALDRIVE0
(remove)

\\.\PHYSICALDRIVE0 MBR: TDL4
(remove)

I already did a full scan at boot ( took all night ) using the actual Avast Free version (6.0.1000) and with Malwarebyte's anti-malware.

What can I do now to remove this rootkit, please?


Offline Pondus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 27781
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #1 on: March 31, 2011, 05:19:24 PM »
what button did you click  "FIX MBR"  or  "FIX"  ?
do a new scan, click "save log" and post it here


Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )


Essexboy will check the log(s) when he arrive later today


Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline serkam

  • Newbie
  • *
  • Posts: 8
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #2 on: March 31, 2011, 05:28:23 PM »
Hi Pondus

I clicked FIX, because the button FIXMBR was greyed. I attached the image and the log.


Thanks

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 38412
  • Dragons by Sasha
    • Malware fixes
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #3 on: March 31, 2011, 07:25:36 PM »
Could you post a fresh aswMBR log please along with the OTS

Offline serkam

  • Newbie
  • *
  • Posts: 8
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #4 on: April 01, 2011, 08:30:58 PM »
Hi Essexboy

Follows the logs you requested.

Rootkit still alive.

Best Regards

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 38412
  • Dragons by Sasha
    • Malware fixes
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #5 on: April 01, 2011, 08:49:08 PM »
Do you have on your desktop a file called MBR.dat ?

We will use TDSSKiller for now, I would also like an OTS log as well in case there is a respawner on your system 

Please read carefully and follow these steps. 
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
     
     

     
     
  • If an infected file is detected, the default action will be Cure, click on Continue.
     
     

     
     
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
     
     

     
     
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
     
     

     
     
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
Download OTS to your Desktop and double-click on it to run it
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Select All Users
  • Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check


  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please attach the log in your next post.

Offline serkam

  • Newbie
  • *
  • Posts: 8
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #6 on: April 01, 2011, 09:51:25 PM »
Hi Essexboy

Good afternoon.

It worked!!!

Avast doesn't complain about rootkit anymore. At least, until now.

I can't upload both logs, so I will upload the TDSSKiller log first, and in next reply the OTS log, ok?

Good work.

Have a nice weekend.
« Last Edit: April 01, 2011, 09:55:53 PM by serkam »

Offline serkam

  • Newbie
  • *
  • Posts: 8
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #7 on: April 01, 2011, 09:54:16 PM »
OTS log file is larger than the maximum limit of this forum.

If you need it, I'll break into 2 parts, ok?

Thanks.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72592
  • No support PMs thanks
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #8 on: April 01, 2011, 10:04:09 PM »
- You can use a file sharing site such as Mediafire.com - Upload to http://www.mediafire.com/ and post the sharing link.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.4.2227 R4 beta1/ Outpost Firewall Pro9.1/ Firefox 40.0.3, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 38412
  • Dragons by Sasha
    • Malware fixes
Re: aswMBR says that removed the rootkit, but in fact didn't
« Reply #9 on: April 02, 2011, 12:07:31 AM »
The reason the log is to large is because it is saved in unicode, could you resave it as ANSI and then it will fit